Methods for associating an ip address to a user via an appliance

ABSTRACT

The present disclosure describes methods and systems for efficiently assigning, managing and querying virtual private network (VPN) addresses intranet IP (IIP) addresses of users, such as SSL VPN users on an enterprise network. The disclosure describes techniques and policies for assigning previously-assigned VPN addresses of a user to subsequent sessions of the user as the user logs in multiple times or roams between access points. The disclosure also describes a configurable user domain naming policy so that one can query the VPN address of a user by an easily referable host name identifying the user. The appliance and/or client agent provides techniques for applications to seamlessly and transparently communicate on the VPN using the VPN address of the user or client on the private network.

FIELD OF THE INVENTION

The present invention generally relates to data communication networksand, in particular, to systems and methods for assigning, managing, andproviding Intranet Internet Protocol addresses for SSL VPN users.

BACKGROUND OF THE INVENTION

A typical computer system uses a single internet protocol (IP) addressassigned to the computer system. Any user session or program on thecomputer will use the IP address of the computer for networkcommunications on a TCP/IP network. Communications over the network toand from the computer, for example between a client and a server, usethe computer's IP address as part of the network communications of thecomputer. In a virtual private network environment, a remote user mayestablish a virtual private network connection from a client to a secondnetwork, such as via an SSL VPN connection from a client on a publicnetwork to a server on a private network. On the second network, asecond IP address is used for communications between the client and theserver.

A user of the virtual private network may log in via the same computingdevice or roam between computing devices. For each login session, adifferent second IP address may be used for virtual private networkcommunications. Also, for each computing device of the user, a differentsecond IP address may be used for virtual private networkcommunications. As such, the user and/or computing device of the usermay be associated with different IP addresses on the virtual privatenetwork at various times. In some cases, the user may have multiplevirtual private network sessions concurrently, and thus, multiple IPaddresses on the private network. Identifying, tracking or managing thevirtual private network addresses of remote users is challenging, andmay be compounded in an environment with a multitude of remote virtualprivate network users. Thus, it is desirable to provide systems andmethods to more efficiently manage and assign IP addresses for users ofa virtual private network. It is also desirable to provide systems andmethods to identify the virtual private network address assigned to auser of a virtual private network.

In one case, an application is designed and constructed to operate usingthe local internet protocol address of the client. When the user isconnected via a virtual private network connection to a second network,the application may have issues communicating over the connection to theprivate network. For instance, the application may only be aware of theIP address assigned to the computer. Since it is not aware of any of thesecond IP addresses associated with the user or computer on the virtualprivate network, the application may not be able to communicate over thevirtual private network connection. Thus, it is desirable to providesystems and methods to allow an application to communicate over thevirtual private network connection using virtual private network IPaddresses.

BRIEF SUMMARY OF THE INVENTION

The intranet IP address management solution of the appliance and/orclient agent of the present invention described herein provides anenvironment for efficiently assigning, managing and querying virtualprivate network addresses, referred to as intranet IP (IIP) addresses ofvirtual private network users, such as a multitude of SSL VPN users onan enterprise network. The appliance provides techniques and policiesfor assigning previously assigned virtual private network addresses of auser to subsequent sessions of the user as the user logs in multipletimes or roams between access points. This technique is referred to IIPstickiness as the appliance attempts to provide the same IIP address toa roaming VPN user. The appliance also provides a configurable userdomain naming policy so that one can ping or query the virtual privatenetwork address of a user by an easily referenceable host nameidentifying the user. The appliance and/or client agent also providetechniques to allow applications to seamlessly and transparentlycommunicate on the virtual private network using the virtual privatenetwork address of the user or client on the private network.

In one aspect the present invention relates to a method for assigning,by an appliance, one of a plurality of multiple intranet internetprotocol addresses of a network to a user when the user accesses thenetwork via a secure socket layer virtual private network connection(SSL VPN). The method includes the steps of: designating, via anappliance, a plurality of intranet internet protocol addresses of afirst network to a user accessing the first network via a SSL VPNconnection, the appliance providing SSL VPN connectivity between thefirst network and a client on a second network, and receiving, by theappliance, a request from the client operated by the user to establish aSSL VPN connection with the first network. In one embodiment, theappliance identifies the user via a login request to the appliance. Inresponse to the request, the appliance assigns to the client as aninternet protocol address on the first network a first intranet internetprotocol address of the first user from the plurality of intranetinternet protocol addresses the first intranet internet protocol addresspreviously assigned to the first user.

In one embodiment, the method includes determining, by the appliance,the first intranet internet protocol address to assign to the user basedon a policy. In some embodiments, the policy indicates to assign to theuser a most recently used intranet internet protocol address of theuser. In another embodiment, the method includes determining, by theappliance, a most recently used intranet internet protocol address ofthe user for the first intranet internet protocol address. In someembodiments, the method includes assigning to a second client of theuser establishing a SSL VPN connection with the first network a nextmost recently used intranet internet protocol address of the user. Inone embodiment, the appliance determines an inactive intranet internetprotocol address from the plurality of multiple intranet internetprotocol addresses as the first intranet internet protocol address.

In yet another embodiment, the method includes determining, by theappliance, the plurality of intranet internet protocol address of theuser is active. In response to the determination, the appliance requeststhe user to transfer to a virtual private network connection of the userassigned an active intranet internet protocol address. In someembodiments, the appliance determines the plurality of intranet internetprotocol address of the user is active, and in response to thedetermination, provides a mapped internet protocol address to theclient.

In one embodiment, the method includes hosting, by the appliance, thefirst intranet protocol address of the client on the first network. Inanother embodiment, an agent on the client establishes the virtualprivate network connection via the appliance. In some embodiments, themethod includes assigning, via the appliance, the plurality of intranetinternet protocol addresses as a range of internet protocol addressesidentified via a subnet mask. In one embodiment, the appliance allocatesa pool of intranet internet protocol addresses to assign to a pluralityof users accessing the first network via a SSL VPN connection. In someembodiments, the appliance obtains the plurality of intranet internetprotocol addresses from a Domain Name Server of the first network.

In one aspect, the present invention is related to a method forresponding to a request of an application for a client's networkidentifier with an intranet network identifier of the client on a securesocket layer virtual private network (SSL VPN) connection to a network.The method includes the step of requesting, by an application on aclient, a network identifier of the client. The client is connected froma first network to a second network by a SSL VPN connection establishedvia an appliance. The appliance assigns to the client an intranetnetwork identifier on the second network. The method also includesintercepting, by a hooking mechanism of an agent on the client, therequest; and providing, by the hooking mechanism, to the application theintranet network identifier of the client on the second network inresponse to the request.

In one embodiment, the method includes transmitting, by the agent, arequest to the appliance for the intranet network identifier of theclient on the second network, and in response to the request,transmitting, by the appliance, to the agent the intranet networkidentifier of the client on the second network. In another embodiment,the method includes querying, by the appliance, the intranet networkidentifier of the client in a routing table.

In some embodiments, the method includes establishing, by the agent, theSSL VPN connection to the second network. In other embodiments, thenetwork identifier is an internet protocol address or a host name. Inanother embodiment, the method includes requesting, by the application,an internet protocol address of the client corresponding to a host nameof the client.

In yet another embodiment, the method includes requesting, by theapplication, a socket address data structure corresponding to a hostname of the client. In some embodiments, the method includes requesting,by the application, the network identifier of the client via any one ofthe following application programming interface calls: gethostbyname,getaddrinfo, WSAIoctl, getsockname, WSALookupServiceBegin,WSALookupServiceNext, and WSALookupServiceEnd.

In yet another embodiment, the application comprises an onlinecollaboration tool. In some of these embodiments, the method includesestablishing, by the online collaboration tool, a connection to anonline collaboration environment on the second network using theintranet network identifier of the client on the second network. In oneembodiment, the appliance designates a plurality of intranet internetprotocol addresses for a user of the client. In some of theseembodiments, the method includes assigning, by the appliance, to theclient a first intranet internet protocol address from the plurality ofintranet internet protocol addresses based on identification of the userof the client and/or a policy. In yet another embodiment, the methodincludes hosting, by the appliance, on the second network the intranetnetwork identifier of the client.

In another aspect, the present invention is related to a system forresponding to a request of an application for a client's networkidentifier with an intranet network identifier of the client on a securesocket layer virtual private network (SSL VPN) connection to a network.The system includes means for requesting, by an application on a client,a network identifier of the client. The client is connected from a firstnetwork to a second network by a SSL VPN connection established via anappliance. The appliance assigns to the client an intranet networkidentifier on the second network. The system also includes mean forintercepting, by a hooking mechanism of an agent on the client, therequest; and means for providing, by the hooking mechanism, to theapplication the intranet network identifier of the client on the secondnetwork in response to the request.

In one aspect the present invention relates to a method for assigning,by an appliance, one of a plurality of multiple intranet internetprotocol addresses of a network to a user when the user accesses thenetwork via a secure socket layer virtual private network connection(SSL VPN). The method includes the steps of: designating, via anappliance, a plurality of intranet internet protocol addresses of afirst network to a user accessing the first network via a SSL VPNconnection, the appliance providing SSL VPN connectivity between thefirst network and a client on a second network, and receiving, by theappliance, a request from the client operated by the user to establish aSSL VPN connection with the first network. In one embodiment, theappliance identifies the user via a login request to the appliance. Inresponse to the request, the appliance assigns to the client as aninternet protocol address on the first network a first intranet internetprotocol address of the first user from the plurality of intranetinternet protocol addresses the first intranet internet protocol addresspreviously assigned to the first user.

In one embodiment, the method includes determining, by the appliance,the first intranet internet protocol address to assign to the user basedon a policy. In some embodiments, the policy indicates to assign to theuser a most recently used intranet internet protocol address of theuser. In another embodiment, the method includes determining, by theappliance, a most recently used intranet internet protocol address ofthe user for the first intranet internet protocol address. In someembodiments, the method includes assigning to a second client of theuser establishing a SSL VPN connection with the first network a nextmost recently used intranet internet protocol address of the user. Inone embodiment, the appliance determines an inactive intranet internetprotocol address from the plurality of multiple intranet internetprotocol addresses as the first intranet internet protocol address.

In yet another embodiment, the method includes determining, by theappliance, the plurality of intranet internet protocol address of theuser is active. In response to the determination, the appliance requeststhe user to transfer to a virtual private network connection of the userassigned an active intranet internet protocol address. In someembodiments, the appliance determines the plurality of intranet internetprotocol address of the user is active, and in response to thedetermination, provides a mapped internet protocol address to theclient.

In one embodiment, the method includes hosting, by the appliance, thefirst intranet protocol address of the client on the first network. Inanother embodiment, an agent on the client establishes the virtualprivate network connection via the appliance. In some embodiments, themethod includes assigning, via the appliance, the plurality of intranetinternet protocol addresses as a range of internet protocol addressesidentified via a subnet mask. In one embodiment, the appliance allocatesa pool of intranet internet protocol addresses to assign to a pluralityof users accessing the first network via a SSL VPN connection. In someembodiments, the appliance obtains the plurality of intranet internetprotocol addresses from a Domain Name Server of the first network.

The details of various embodiments of the invention are set forth in theaccompanying drawings and the description below.

BRIEF DESCRIPTION OF THE FIGURES

The foregoing and other objects, aspects, features, and advantages ofthe invention will become more apparent and better understood byreferring to the following description taken in conjunction with theaccompanying drawings, in which:

FIG. 1A is a block diagram of an embodiment of a network environment fora client to access a server via an appliance;

FIG. 1B is a block diagram of an embodiment of an environment fordelivering a computing environment from a server to a client via anappliance;

FIGS. 1C and 1D are block diagrams of embodiments of a computing device;

FIG. 2A is a block diagram of an embodiment of an appliance forprocessing communications between a client and a server;

FIG. 2B is a block diagram of another embodiment of an appliance foroptimizing, accelerating, load-balancing and routing communicationsbetween a client and a server;

FIG. 3 is a block diagram of an embodiment of a client for communicatingwith a server via the appliance;

FIG. 4 is a block diagram of an embodiment of an appliance and clientproviding an Intranet Internet Protocol (IIP) environment;

FIG. 5 is a flow diagram depicting steps of an embodiment of a methodfor practicing a technique for assigning an IIP address to a user;

FIG. 6 is a flow diagram depicting steps of an embodiment of a methodfor providing the IIP address assigned to the user to an application ona client; and

FIG. 7 is a flow diagram depicting steps of an embodiment of a methodfor querying the IIP address assigned to a user.

The features and advantages of the present invention will become moreapparent from the detailed description set forth below when taken inconjunction with the drawings, in which like reference charactersidentify corresponding elements throughout. In the drawings, likereference numbers generally indicate identical, functionally similar,and/or structurally similar elements.

DETAILED DESCRIPTION OF THE INVENTION A. Network and ComputingEnvironment

Prior to discussing the specifics of embodiments of the systems andmethods of an appliance and/or client, it may be helpful to discuss thenetwork and computing environments in which such embodiments may bedeployed. Referring now to FIG. 1A, an embodiment of a networkenvironment is depicted. In brief overview, the network environmentcomprises one or more clients 102 a-102 n (also generally referred to aslocal machine(s) 102, or client(s) 102) in communication with one ormore servers 106 a-106 n (also generally referred to as server(s) 106,or remote machine(s) 106) via one or more networks 104, 104′ (generallyreferred to as network 104). In some embodiments, a client 102communicates with a server 106 via an appliance 200.

Although FIG. 1A shows a network 104 and a network 104′ between theclients 102 and the servers 106, the clients 102 and the servers 106 maybe on the same network 104. The networks 104 and 104′ can be the sametype of network or different types of networks. The network 104 and/orthe network 104′ can be a local-area network (LAN), such as a companyIntranet, a metropolitan area network (MAN), or a wide area network(WAN), such as the Internet or the World Wide Web. In one embodiment,network 104′ may be a private network and network 104 may be a publicnetwork. In some embodiments, network 104 may be a private network andnetwork 104′ a public network. In another embodiment, networks 104 and104′ may both be private networks. In some embodiments, clients 102 maybe located at a branch office of a corporate enterprise communicatingvia a WAN connection over the network 104 to the servers 106 located ata corporate data center.

The network 104 and/or 104′ be any type and/or form of network and mayinclude any of the following: a point to point network, a broadcastnetwork, a wide area network, a local area network, a telecommunicationsnetwork, a data communication network, a computer network, an ATM(Asynchronous Transfer Mode) network, a SONET (Synchronous OpticalNetwork) network, a SDH (Synchronous Digital Hierarchy) network, awireless network and a wireline network. In some embodiments, thenetwork 104 may comprise a wireless link, such as an infrared channel orsatellite band. The topology of the network 104 and/or 104′ may be abus, star, or ring network topology. The network 104 and/or 104′ andnetwork topology may be of any such network or network topology as knownto those ordinarily skilled in the art capable of supporting theoperations described herein.

As shown in FIG. 1A, the appliance 200, which also may be referred to asan interface unit 200 or gateway 200, is shown between the networks 104and 104′. In some embodiments, the appliance 200 may be located onnetwork 104. For example, a branch office of a corporate enterprise maydeploy an appliance 200 at the branch office. In other embodiments, theappliance 200 may be located on network 104′. For example, an appliance200 may be located at a corporate data center. In yet anotherembodiment, a plurality of appliances 200 may be deployed on network104. In some embodiments, a plurality of appliances 200 may be deployedon network 104′. In one embodiment, a first appliance 200 communicateswith a second appliance 200′. In other embodiments, the appliance 200could be a part of any client 102 or server 106 on the same or differentnetwork 104,104′ as the client 102. One or more appliances 200 may belocated at any point in the network or network communications pathbetween a client 102 and a server 106.

In one embodiment, the system may include multiple, logically-groupedservers 106. In these embodiments, the logical group of servers may bereferred to as a server farm 38. In some of these embodiments, theserves 106 may be geographically dispersed. In some cases, a farm 38 maybe administered as a single entity. In other embodiments, the serverfarm 38 comprises a plurality of server farms 38. In one embodiment, theserver farm executes one or more applications on behalf of one or moreclients 102.

The servers 106 within each farm 38 can be heterogeneous. One or more ofthe servers 106 can operate according to one type of operating systemplatform (e.g., WINDOWS NT, manufactured by Microsoft Corp. of Redmond,Wash.), while one or more of the other servers 106 can operate onaccording to another type of operating system platform (e.g., Unix orLinux). The servers 106 of each farm 38 do not need to be physicallyproximate to another server 106 in the same farm 38. Thus, the group ofservers 106 logically grouped as a farm 38 may be interconnected using awide-area network (WAN) connection or medium-area network (MAN)connection. For example, a farm 38 may include servers 106 physicallylocated in different continents or different regions of a continent,country, state, city, campus, or room. Data transmission speeds betweenservers 106 in the farm 38 can be increased if the servers 106 areconnected using a local-area network (LAN) connection or some form ofdirect connection.

Servers 106 may be referred to as a file server, application server, webserver, proxy server, or gateway server. In some embodiments, a server106 may have the capacity to function as either an application server oras a master application server. In one embodiment, a server 106 mayinclude an Active Directory. The clients 102 may also be referred to asclient nodes or endpoints. In some embodiments, a client 102 has thecapacity to function as both a client node seeking access toapplications on a server and as an application server providing accessto hosted applications for other clients 102 a-102 n.

In some embodiments, a client 102 communicates with a server 106. In oneembodiment, the client 102 communicates directly with one of the servers106 in a farm 38. In another embodiment, the client 102 executes aprogram neighborhood application to communicate with a server 106 in afarm 38. In still another embodiment, the server 106 provides thefunctionality of a master node. In some embodiments, the client 102communicates with the server 106 in the farm 38 through a network 104.Over the network 104, the client 102 can, for example, request executionof various applications hosted by the servers 106 a-106 n in the farm 38and receive output of the results of the application execution fordisplay. In some embodiments, only the master node provides thefunctionality required to identify and provide address informationassociated with a server 106′ hosting a requested application.

In one embodiment, the server 106 provides functionality of a webserver. In another embodiment, the server 106 a receives requests fromthe client 102, forwards the requests to a second server 106 b andresponds to the request by the client 102 with a response to the requestfrom the server 106 b. In still another embodiment, the server 106acquires an enumeration of applications available to the client 102 andaddress information associated with a server 106 hosting an applicationidentified by the enumeration of applications. In yet anotherembodiment, the server 106 presents the response to the request to theclient 102 using a web interface. In one embodiment, the client 102communicates directly with the server 106 to access the identifiedapplication. In another embodiment, the client 102 receives applicationoutput data, such as display data, generated by an execution of theidentified application on the server 106.

Referring now to FIG. 1B, a network environment for delivering and/oroperating a computing environment on a client 102 is depicted. In someembodiments, a server 106 includes an application delivery system 190for delivering a computing environment or an application and/or datafile to one or more clients 102. In brief overview, a client 10 is incommunication with a server 106 via network 104, 104′ and appliance 200.For example, the client 102 may reside in a remote office of a company,e.g., a branch office, and the server 106 may reside at a corporate datacenter. The client 102 comprises a client agent 120, and a computingenvironment 15. The computing environment 15 may execute or operate anapplication that accesses, processes or uses a data file. The computingenvironment 15, application and/or data file may be delivered via theappliance 200 and/or the server 106.

In some embodiments, the appliance 200 accelerates delivery of acomputing environment 15, or any portion thereof, to a client 102. Inone embodiment, the appliance 200 accelerates the delivery of thecomputing environment 15 by the application delivery system 190. Forexample, the embodiments described herein may be used to acceleratedelivery of a streaming application and data file processable by theapplication from a central corporate data center to a remote userlocation, such as a branch office of the company. In another embodiment,the appliance 200 accelerates transport layer traffic between a client102 and a server 106. The appliance 200 may provide accelerationtechniques for accelerating any transport layer payload from a server106 to a client 102, such as: 1) transport layer connection pooling, 2)transport layer connection multiplexing, 3) transport control protocolbuffering, 4) compression and 5) caching. In some embodiments, theappliance 200 provides load balancing of servers 106 in responding torequests from clients 102. In other embodiments, the appliance 200 actsas a proxy or access server to provide access to the one or more servers106. In another embodiment, the appliance 200 provides a secure virtualprivate network connection from a first network 104 of the client 102 tothe second network 104′ of the server 106, such as an SSL VPNconnection. It yet other embodiments, the appliance 200 providesapplication firewall security, control and management of the connectionand communications between a client 102 and a server 106.

In some embodiments, the application delivery management system 190provides application delivery techniques to deliver a computingenvironment to a desktop of a user, remote or otherwise, based on aplurality of execution methods and based on any authentication andauthorization policies applied via a policy engine 195. With thesetechniques, a remote user may obtain a computing environment and accessto server stored applications and data files from any network connecteddevice 100. In one embodiment, the application delivery system 190 mayreside or execute on a server 106. In another embodiment, theapplication delivery system 190 may reside or execute on a plurality ofservers 106 a-106 n. In some embodiments, the application deliverysystem 190 may execute in a server farm 38. In one embodiment, theserver 106 executing the application delivery system 190 may also storeor provide the application and data file. In another embodiment, a firstset of one or more servers 106 may execute the application deliverysystem 190, and a different server 106 n may store or provide theapplication and data file. In some embodiments, each of the applicationdelivery system 190, the application, and data file may reside or belocated on different servers. In yet another embodiment, any portion ofthe application delivery system 190 may reside, execute or be stored onor distributed to the appliance 200, or a plurality of appliances.

The client 102 may include a computing environment 15 for executing anapplication that uses or processes a data file. The client 102 vianetworks 104, 104′ and appliance 200 may request an application and datafile from the server 106. In one embodiment, the appliance 200 mayforward a request from the client 102 to the server 106. For example,the client 102 may not have the application and data file stored oraccessible locally. In response to the request, the application deliverysystem 190 and/or server 106 may deliver the application and data fileto the client 102. For example, in one embodiment, the server 106 maytransmit the application as an application stream to operate incomputing environment 15 on client 102.

In some embodiments, the application delivery system 190 comprises anyportion of the Citrix Access Suite™ by Citrix Systems, Inc., such as theMetaFrame or Citrix Presentation Server™ and/or any of the Microsoft®Windows Terminal Services manufactured by the Microsoft Corporation. Inone embodiment, the application delivery system 190 may deliver one ormore applications to clients 102 or users via a remote-display protocolor otherwise via remote-based or server-based computing. In anotherembodiment, the application delivery system 190 may deliver one or moreapplications to clients or users via steaming of the application.

In one embodiment, the application delivery system 190 includes a policyengine 195 for controlling and managing the access to, selection ofapplication execution methods and the delivery of applications. In someembodiments, the policy engine 195 determines the one or moreapplications a user or client 102 may access. In another embodiment, thepolicy engine 195 determines how the application should be delivered tothe user or client 102, e.g., the method of execution. In someembodiments, the application delivery system 190 provides a plurality ofdelivery techniques from which to select a method of applicationexecution, such as a server-based computing, streaming or delivering theapplication locally to the client 120 for local execution.

In one embodiment, a client 102 requests execution of an applicationprogram and the application delivery system 190 comprising a server 106selects a method of executing the application program. In someembodiments, the server 106 receives credentials from the client 102. Inanother embodiment, the server 106 receives a request for an enumerationof available applications from the client 102. In one embodiment, inresponse to the request or receipt of credentials, the applicationdelivery system 190 enumerates a plurality of application programsavailable to the client 102. The application delivery system 190receives a request to execute an enumerated application. The applicationdelivery system 190 selects one of a predetermined number of methods forexecuting the enumerated application, for example, responsive to apolicy of a policy engine. The application delivery system 190 mayselect a method of execution of the application enabling the client 102to receive application-output data generated by execution of theapplication program on a server 106. The application delivery system 190may select a method of execution of the application enabling the localmachine 10 to execute the application program locally after retrieving aplurality of application files comprising the application. In yetanother embodiment, the application delivery system 190 may select amethod of execution of the application to stream the application via thenetwork 104 to the client 102.

A client 102 may execute, operate or otherwise provide an application,which can be any type and/or form of software, program, or executableinstructions such as any type and/or form of web browser, web-basedclient, client-server application, a thin-client computing client, anActiveX control, or a Java applet, or any other type and/or form ofexecutable instructions capable of executing on client 102. In someembodiments, the application may be a server-based or a remote-basedapplication executed on behalf of the client 102 on a server 106. In oneembodiments the server 106 may display output to the client 102 usingany thin-client or remote-display protocol, such as the IndependentComputing Architecture (ICA) protocol manufactured by Citrix Systems,Inc. of Ft. Lauderdale, Fla. or the Remote Desktop Protocol (RDP)manufactured by the Microsoft Corporation of Redmond, Wash. Theapplication can use any type of protocol and it can be, for example, anHTTP client, an FTP client, an Oscar client, or a Telnet client. Inother embodiments, the application comprises any type of softwarerelated to VoIP communications, such as a soft IP telephone. In furtherembodiments, the application comprises any application related toreal-time data communications, such as applications for streaming videoand/or audio.

In some embodiments, the server 106 or a server farm 38 may be runningone or more applications, such as an application providing a thin-clientcomputing or remote display presentation application. In one embodiment,the server 106 or server farm 38 executes as an application, any portionof the Citrix Access Suite™ by Citrix Systems, Inc., such as theMetaFrame or Citrix Presentation Server™, and/or any of the Microsoft®Windows Terminal Services manufactured by the Microsoft Corporation. Inone embodiment, the application is an ICA client, developed by CitrixSystems, Inc. of Fort Lauderdale, Fla. In other embodiments, theapplication includes a Remote Desktop (RDP) client, developed byMicrosoft Corporation of Redmond, Wash. Also, the server 106 may run anapplication, which for example, may be an application server providingemail services such as Microsoft Exchange manufactured by the MicrosoftCorporation of Redmond, Wash., a web or Internet server, or a desktopsharing server, or a collaboration server. In some embodiments, any ofthe applications may comprise any type of hosted service or products,such as GoToMeeting™ provided by Citrix Online Division, Inc. of SantaBarbara, Calif., WebEx™ provided by WebEx, Inc. of Santa Clara, Calif.,or Microsoft Office Live Meeting provided by Microsoft Corporation ofRedmond, Wash.

The client 102, server 106, and appliance 200 may be deployed as and/orexecuted on any type and form of computing device, such as a computer,network device or appliance capable of communicating on any type andform of network and performing the operations described herein. FIGS. 1Cand 1D depict block diagrams of a computing device 100 useful forpracticing an embodiment of the client 102, server 106 or appliance 200.As shown in FIGS. 1C and 1D, each computing device 100 includes acentral processing unit 101, and a main memory unit 122. As shown inFIG. 1C, a computing device 100 may include a visual display device 124,a keyboard 126 and/or a pointing device 127, such as a mouse. Eachcomputing device 100 may also include additional optional elements, suchas one or more input/output devices 130 a-130 b (generally referred tousing reference numeral 130), and a cache memory 140 in communicationwith the central processing unit 101.

The central processing unit 101 is any logic circuitry that responds toand processes instructions fetched from the main memory unit 122. Inmany embodiments, the central processing unit is provided by amicroprocessor unit, such as: those manufactured by Intel Corporation ofMountain View, Calif.; those manufactured by Motorola Corporation ofSchaumburg, Ill.; those manufactured by Transmeta Corporation of SantaClara, Calif.; the RS/6000 processor, those manufactured byInternational Business Machines of White Plains, N.Y.; or thosemanufactured by Advanced Micro Devices of Sunnyvale, Calif. Thecomputing device 100 may be based on any of these processors, or anyother processor capable of operating as described herein.

Main memory unit 122 may be one or more memory chips capable of storingdata and allowing any storage location to be directly accessed by themicroprocessor 101, such as Static random access memory (SRAM), BurstSRAM or SynchBurst SRAM (BSRAM), Dynamic random access memory (DRAM),Fast Page Mode DRAM (FPM DRAM), Enhanced DRAM (EDRAM), Extended DataOutput RAM (EDO RAM), Extended Data Output DRAM (EDO DRAM), BurstExtended Data Output DRAM (BEDO DRAM), Enhanced DRAM (EDRAM),synchronous DRAM (SDRAM), JEDEC SRAM, PC100 SDRAM, Double Data RateSDRAM (DDR SDRAM), Enhanced SDRAM (ESDRAM), SyncLink DRAM (SLDRAM),Direct Rambus DRAM (DRDRAM), or Ferroelectric RAM (FRAM). The mainmemory 122 may be based on any of the above described memory chips, orany other available memory chips capable of operating as describedherein. In the embodiment shown in FIG. 1C, the processor 101communicates with main memory 122 via a system bus 150 (described inmore detail below). FIG. 1C depicts an embodiment of a computing device100 in which the processor communicates directly with main memory 122via a memory port 103. For example, in FIG. 1D the main memory 122 maybe DRDRAM.

FIG. 1D depicts an embodiment in which the main processor 101communicates directly with cache memory 140 via a secondary bus,sometimes referred to as a backside bus. In other embodiments, the mainprocessor 101 communicates with cache memory 140 using the system bus150. Cache memory 140 typically has a faster response time than mainmemory 122 and is typically provided by SRAM, BSRAM, or EDRAM. In theembodiment shown in FIG. 1C, the processor 101 communicates with variousI/O devices 130 via a local system bus 150. Various busses may be usedto connect the central processing unit 101 to any of the I/O devices130, including a VESA VL bus, an ISA bus, an EISA bus, a MicroChannelArchitecture (MCA) bus, a PCI bus, a PCI-X bus, a PCI-Express bus, or aNuBus. For embodiments in which the I/O device is a video display 124,the processor 101 may use an Advanced Graphics Port (AGP) to communicatewith the display 124. FIG. 1D depicts an embodiment of a computer 100 inwhich the main processor 101 communicates directly with I/O device 130via HyperTransport, Rapid I/O, or InfiniBand. FIG. 1D also depicts anembodiment in which local busses and direct communication are mixed: theprocessor 101 communicates with I/O device 130 using a localinterconnect bus while communicating with I/O device 130 directly.

The computing device 100 may support any suitable installation device116, such as a floppy disk drive for receiving floppy disks such as3.5-inch, 5.25-inch disks or ZIP disks, a CD-ROM drive, a CD-R/RW drive,a DVD-ROM drive, tape drives of various formats, USB device, hard-driveor any other device suitable for installing software and programs suchas any client agent 120, or portion thereof. The computing device 100may further comprise a storage device 128, such as one or more hard diskdrives or redundant arrays of independent disks, for storing anoperating system and other related software, and for storing applicationsoftware programs such as any program related to the client agent 120.Optionally, any of the installation devices 116 could also be used asthe storage device 128. Additionally, the operating system and thesoftware can be run from a bootable medium, for example, a bootable CD,such as KNOPPIX®, a bootable CD for GNU/Linux that is available as aGNU/Linux distribution from knoppix.net.

Furthermore, the computing device 100 may include a network interface118 to interface to a Local Area Network (LAN), Wide Area Network (WAN)or the Internet through a variety of connections including, but notlimited to, standard telephone lines, LAN or WAN links (e.g., 802.11,T1, T3, 56 kb, X.25), broadband connections (e.g., ISDN, Frame Relay,ATM), wireless connections, or some combination of any or all of theabove. The network interface 118 may comprise a built-in networkadapter, network interface card, PCMCIA network card, card bus networkadapter, wireless network adapter, USB network adapter, modem or anyother device suitable for interfacing the computing device 100 to anytype of network capable of communication and performing the operationsdescribed herein. A wide variety of I/O devices 130 a-130 n may bepresent in the computing device 100. Input devices include keyboards,mice, trackpads, trackballs, microphones, and drawing tablets. Outputdevices include video displays, speakers, inkjet printers, laserprinters, and dye-sublimation printers. The I/O devices 130 may becontrolled by an I/O controller 123 as shown in FIG. 1C. The I/Ocontroller may control one or more I/O devices such as a keyboard 126and a pointing device 127, e.g., a mouse or optical pen. Furthermore, anI/O device may also provide storage 128 and/or an installation medium116 for the computing device 100. In still other embodiments, thecomputing device 100 may provide USB connections to receive handheld USBstorage devices such as the USB Flash Drive line of devices manufacturedby Twintech Industry, Inc. of Los Alamitos, Calif.

In some embodiments, the computing device 100 may comprise or beconnected to multiple display devices 124 a-124 n, which each may be ofthe same or different type and/or form. As such, any of the I/O devices130 a-130 n and/or the I/O controller 123 may comprise any type and/orform of suitable hardware, software, or combination of hardware andsoftware to support, enable or provide for the connection and use ofmultiple display devices 124 a-124 n by the computing device 100. Forexample, the computing device 100 may include any type and/or form ofvideo adapter, video card, driver, and/or library to interface,communicate, connect or otherwise use the display devices 124 a-124 n.In one embodiment, a video adapter may comprise multiple connectors tointerface to multiple display devices 124 a-124 n. In other embodiments,the computing device 100 may include multiple video adapters, with eachvideo adapter connected to one or more of the display devices 124 a-124n. In some embodiments, any portion of the operating system of thecomputing device 100 may be configured for using multiple displays 124a-124 n. In other embodiments, one or more of the display devices 124a-124 n may be provided by one or more other computing devices, such ascomputing devices 100 a and 100 b connected to the computing device 100,for example, via a network. These embodiments may include any type ofsoftware designed and constructed to use another computer's displaydevice as a second display device 124 a for the computing device 100.One ordinarily skilled in the art will recognize and appreciate thevarious ways and embodiments that a computing device 100 may beconfigured to have multiple display devices 124 a-124 n.

In further embodiments, an I/O device 130 may be a bridge 170 betweenthe system bus 150 and an external communication bus, such as a USB bus,an Apple Desktop Bus, an RS-232 serial connection, a SCSI bus, aFireWire bus, a FireWire 800 bus, an Ethernet bus, an AppleTalk bus, aGigabit Ethernet bus, an Asynchronous Transfer Mode bus, a HIPPI bus, aSuper HIPPI bus, a SerialPlus bus, a SCI/LAMP bus, a FibreChannel bus,or a Serial Attached small computer system interface bus.

A computing device 100 of the sort depicted in FIGS. 1C and 1D typicallyoperate under the control of operating systems, which control schedulingof tasks and access to system resources. The computing device 100 can berunning any operating system such as any of the versions of theMicrosoft® Windows operating systems, the different releases of the Unixand Linux operating systems, any version of the Mac OS® for Macintoshcomputers, any embedded operating system, any real-time operatingsystem, any open source operating system, any proprietary operatingsystem, any operating systems for mobile computing devices, or any otheroperating system capable of running on the computing device andperforming the operations described herein. Typical operating systemsinclude: WINDOWS 3.x, WINDOWS 95, WINDOWS 98, WINDOWS 2000, WINDOWS NT3.51, WINDOWS NT 4.0, WINDOWS CE, and WINDOWS XP, all of which aremanufactured by Microsoft Corporation of Redmond, Wash.; MacOS,manufactured by Apple Computer of Cupertino, California; OS/2,manufactured by International Business Machines of Armonk, N.Y.; andLinux, a freely-available operating system distributed by Caldera Corp.of Salt Lake City, Utah, or any type and/or form of a Unix operatingsystem, among others.

In other embodiments, the computing device 100 may have differentprocessors, operating systems, and input devices consistent with thedevice. For example, in one embodiment the computer 100 is a Treo 180,270, 1060, 600 or 650 smart phone manufactured by Palm, Inc. In thisembodiment, the Treo smart phone is operated under the control of thePalmOS operating system and includes a stylus input device as well as afive-way navigator device. Moreover, the computing device 100 can be anyworkstation, desktop computer, laptop or notebook computer, server,handheld computer, mobile telephone, any other computer, or other formof computing or telecommunications device that is capable ofcommunication and that has sufficient processor power and memorycapacity to perform the operations described herein.

B. Appliance Architecture

FIG. 2A illustrates an example embodiment of the appliance 200. Thearchitecture of the appliance 200 in FIG. 2A is provided by way ofillustration only and is not intended to be limiting. As shown in FIG.2, appliance 200 comprises a hardware layer 206 and a software layerdivided into a user space 202 and a kernel space 204.

Hardware layer 206 provides the hardware elements upon which programsand services within kernel space 204 and user space 202 are executed.Hardware layer 206 also provides the structures and elements which allowprograms and services within kernel space 204 and user space 202 tocommunicate data both internally and externally with respect toappliance 200. As shown in FIG. 2, the hardware layer 206 includes aprocessing unit 262 for executing software programs and services, amemory 264 for storing software and data, network ports 266 fortransmitting and receiving data over a network, and an encryptionprocessor 260 for performing functions related to Secure Sockets Layerprocessing of data transmitted and received over the network. In someembodiments, the central processing unit 262 may perform the functionsof the encryption processor 260 in a single processor. Additionally, thehardware layer 206 may comprise multiple processors for each of theprocessing unit 262 and the encryption processor 260. The processor 262may include any of the processors 101 described above in connection withFIGS. 1C and 1D. In some embodiments, the central processing unit 262may perform the functions of the encryption processor 260 in a singleprocessor. Additionally, the hardware layer 206 may comprise multipleprocessors for each of the processing unit 262 and the encryptionprocessor 260. For example, in one embodiment, the appliance 200comprises a first processor 262 and a second processor 262′. In otherembodiments, the processor 262 or 262′ comprises a multi-core processor.

Although the hardware layer 206 of appliance 200 is generallyillustrated with an encryption processor 260, processor 260 may be aprocessor for performing functions related to any encryption protocol,such as the Secure Socket Layer (SSL) or Transport Layer Security (TLS)protocol. In some embodiments, the processor 260 may be a generalpurpose processor (GPP), and in further embodiments, may be haveexecutable instructions for performing processing of any securityrelated protocol.

Although the hardware layer 206 of appliance 200 is illustrated withcertain elements in FIG. 2, the hardware portions or components ofappliance 200 may comprise any type and form of elements, hardware orsoftware, of a computing device, such as the computing device 100illustrated and discussed herein in conjunction with FIGS. 1C and 1D. Insome embodiments, the appliance 200 may comprise a server, gateway,router, switch, bridge or other type of computing or network device, andhave any hardware and/or software elements associated therewith.

The operating system of appliance 200 allocates, manages, or otherwisesegregates the available system memory into kernel space 204 and userspace 204. In example software architecture 200, the operating systemmay be any type and/or form of Unix operating system although theinvention is not so limited. As such, the appliance 200 can be runningany operating system such as any of the versions of the Microsoft®Windows operating systems, the different releases of the Unix and Linuxoperating systems, any version of the Mac OS® for Macintosh computers,any embedded operating system, any network operating system, anyreal-time operating system, any open source operating system, anyproprietary operating system, any operating systems for mobile computingdevices or network devices, or any other operating system capable ofrunning on the appliance 200 and performing the operations describedherein.

The kernel space 204 is reserved for running the kernel 230, includingany device drivers, kernel extensions or other kernel related software.As known to those skilled in the art, the kernel 230 is the core of theoperating system, and provides access, control, and management ofresources and hardware-related elements of the application 104. Inaccordance with an embodiment of the appliance 200, the kernel space 204also includes a number of network services or processes working inconjunction with a cache manager 232. sometimes also referred to as theintegrated cache, the benefits of which are described in detail furtherherein. Additionally, the embodiment of the kernel 230 will depend onthe embodiment of the operating system installed, configured, orotherwise used by the device 200.

In one embodiment, the device 200 comprises one network stack 267, suchas a TCP/IP based stack, for communicating with the client 102 and/orthe server 106. In one embodiment, the network stack 267 is used tocommunicate with a first network, such as network 108, and a secondnetwork 110. In some embodiments, the device 200 terminates a firsttransport layer connection, such as a TCP connection of a client 102,and establishes a second transport layer connection to a server 106 foruse by the client 102, e.g., the second transport layer connection isterminated at the appliance 200 and the server 106. The first and secondtransport layer connections may be established via a single networkstack 267. In other embodiments, the device 200 may comprise multiplenetwork stacks, for example 267 and 267′, and the first transport layerconnection may be established or terminated at one network stack 267,and the second transport layer connection on the second network stack267′. For example, one network stack may be for receiving andtransmitting network packet on a first network, and another networkstack for receiving and transmitting network packets on a secondnetwork. In one embodiment, the network stack 267 comprises a buffer 243for queuing one or more network packets for transmission by theappliance 200.

As shown in FIG. 2, the kernel space 204 includes the cache manager 232,a high-speed layer 2-7 integrated packet engine 240, an encryptionengine 234, a policy engine 236 and multi-protocol compression logic238. Running these components or processes 232, 240, 234, 236 and 238 inkernel space 204 or kernel mode instead of the user space 202 improvesthe performance of each of these components, alone and in combination.Kernel operation means that these components or processes 232, 240, 234,236 and 238 run in the core address space of the operating system of thedevice 200. For example, running the encryption engine 234 in kernelmode improves encryption performance by moving encryption and decryptionoperations to the kernel, thereby reducing the number of transitionsbetween the memory space or a kernel thread in kernel mode and thememory space or a thread in user mode. For example, data obtained inkernel mode may not need to be passed or copied to a process or threadrunning in user mode, such as from a kernel level data structure to auser level data structure. In another aspect, the number of contextswitches between kernel mode and user mode are also reduced.Additionally, synchronization of and communications between any of thecomponents or processes 232, 240, 235, 236 and 238 can be performed moreefficiently in the kernel space 204.

In some embodiments, any portion of the components 232, 240, 234, 236and 238 may run or operate in the kernel space 204, while other portionsof these components 232, 240, 234, 236 and 238 may run or operate inuser space 202. In one embodiment, the appliance 200 uses a kernel-leveldata structure providing access to any portion of one or more networkpackets, for example, a network packet comprising a request from aclient 102 or a response from a server 106. In some embodiments, thekernel-level data structure may be obtained by the packet engine 240 viaa transport layer driver interface or filter to the network stack 267.The kernel-level data structure may comprise any interface and/or dataaccessible via the kernel space 204 related to the network stack 267,network traffic or packets received or transmitted by the network stack267. In other embodiments, the kernel-level data structure may be usedby any of the components or processes 232, 240, 234, 236 and 238 toperform the desired operation of the component or process. In oneembodiment, a component 232, 240, 234, 236 and 238 is running in kernelmode 204 when using the kernel-level data structure, while in anotherembodiment, the component 232, 240, 234, 236 and 238 is running in usermode when using the kernel-level data structure. In some embodiments,the kernel-level data structure may be copied or passed to a secondkernel-level data structure, or any desired user-level data structure.

The cache manager 232 may comprise software, hardware or any combinationof software and hardware to provide cache access, control and managementof any type and form of content, such as objects or dynamicallygenerated objects served by the originating servers 106. The data,objects or content processed and stored by the cache manager 232 maycomprise data in any format, such as a markup language, or communicatedvia any protocol. In some embodiments, the cache manager 232 duplicatesoriginal data stored elsewhere or data previously computed, generated ortransmitted, in which the original data may require longer access timeto fetch, compute or otherwise obtain relative to reading a cache memoryelement. Once the data is stored in the cache memory element, future usecan be made by accessing the cached copy rather than refetching orrecomputing the original data, thereby reducing the access time. In someembodiments, the cache memory element nat comprise a data object inmemory 264 of device 200. In other embodiments, the cache memory elementmay comprise memory having a faster access time than memory 264. Inanother embodiment, the cache memory element may comprise any type andform of storage element of the device 200, such as a portion of a harddisk. In some embodiments, the processing unit 262 may provide cachememory for use by the cache manager 232. In yet further embodiments, thecache manager 232 may use any portion and combination of memory,storage, or the processing unit for caching data, objects, and othercontent.

Furthermore, the cache manager 232 includes any logic, functions, rules,or operations to perform any embodiments of the techniques of theappliance 200 described herein. For example, the cache manager 232includes logic or functionality to invalidate objects based on theexpiration of an invalidation time period or upon receipt of aninvalidation command from a client 102 or server 106. In someembodiments, the cache manager 232 may operate as a program, service,process or task executing in the kernel space 204, and in otherembodiments, in the user space 202. In one embodiment, a first portionof the cache manager 232 executes in the user space 202 while a secondportion executes in the kernel space 204. In some embodiments, the cachemanager 232 can comprise any type of general purpose processor (GPP), orany other type of integrated circuit, such as a Field Programmable GateArray (FPGA), Programmable Logic Device (PLD), or Application SpecificIntegrated Circuit (ASIC).

The policy engine 236 may include, for example, an intelligentstatistical engine or other programmable application(s). In oneembodiment, the policy engine 236 provides a configuration mechanism toallow a user to identifying, specify, define or configure a cachingpolicy. Policy engine 236, in some embodiments, also has access tomemory to support data structures such as lookup tables or hash tablesto enable user-selected caching policy decisions. In other embodiments,the policy engine 236 may comprise any logic, rules, functions oroperations to determine and provide access, control and management ofobjects, data or content being cached by the appliance 200 in additionto access, control and management of security, network traffic, networkaccess, compression or any other function or operation performed by theappliance 200. Further examples of specific caching policies are furtherdescribed herein.

The encryption engine 234 comprises any logic, business rules, functionsor operations for handling the processing of any security relatedprotocol, such as SSL or TLS, or any function related thereto. Forexample, the encryption engine 234 encrypts and decrypts networkpackets, or any portion thereof, communicated via the appliance 200. Theencryption engine 234 may also setup or establish SSL or TLS connectionson behalf of the client 102 a-102 n, server 106 a-106 n, or appliance200. As such, the encryption engine 234 provides offloading andacceleration of SSL processing. In one embodiment, the encryption engine234 uses a tunneling protocol to provide a virtual private networkbetween a client 102 a-102 n and a server 106 a-106 n. In someembodiments, the encryption engine 234 is in communication with theEncryption processor 260. In other embodiments, the encryption engine234 comprises executable instructions running on the Encryptionprocessor 260.

The multi-protocol compression engine 238 comprises any logic, businessrules, function or operations for compressing one or more protocols of anetwork packet, such as any of the protocols used by the network stack267 of the device 200. In one embodiment, multi-protocol compressionengine 238 compresses bi-directionally between clients 102 a-102 n andservers 106 a-106 n any TCP/IP based protocol, including MessagingApplication Programming Interface (MAPI) (email), File Transfer Protocol(FTP), HyperText Transfer Protocol (HTTP), Common Internet File System(CIFS) protocol (file transfer), Independent Computing Architecture(ICA) protocol, Remote Desktop Protocol (RDP), Wireless ApplicationProtocol (WAP), Mobile IP protocol, and Voice Over IP (VoIP) protocol.In other embodiments, multi-protocol compression engine 238 providescompression of Hypertext Markup Language (HTML) based protocols and insome embodiments, provides compression of any markup languages, such asthe Extensible Markup Language (XML). In one embodiment, themulti-protocol compression engine 238 provides compression of anyhigh-performance protocol, such as any protocol designed for appliance200 to appliance 200 communications. In another embodiment, themulti-protocol compression engine 238 compresses any payload of or anycommunication using a modified transport control protocol, such asTransaction TCP (T/TCP), TCP with selection acknowledgements (TCP-SACK),TCP with large windows (TCP-LW), a congestion prediction protocol suchas the TCP-Vegas protocol, and a TCP spoofing protocol.

As such, the multi-protocol compression engine 238 acceleratesperformance for users accessing applications via desktop clients, e.g.,Microsoft Outlook and non-Web thin clients, such as any client launchedby popular enterprise applications like Oracle, SAP and Siebel, and evenmobile clients, such as the Pocket PC. In some embodiments, themulti-protocol compression engine 238 by executing in the kernel mode204 and integrating with packet processing engine 240 accessing thenetwork stack 267 is able to compress any of the protocols carried bythe TCP/IP protocol, such as any application layer protocol.

High speed layer 2-7 integrated packet engine 240, also generallyreferred to as a packet processing engine or packet engine, isresponsible for managing the kernel-level processing of packets receivedand transmitted by appliance 200 via network ports 266. The high speedlayer 2-7 integrated packet engine 240 may comprise a buffer for queuingone or more network packets during processing, such as for receipt of anetwork packet or transmission of a network packer. Additionally, thehigh speed layer 2-7 integrated packet engine 240 is in communicationwith one or more network stacks 267 to send and receive network packetsvia network ports 266. The high speed layer 2-7 integrated packet engine240 works in conjunction with encryption engine 234, cache manager 232,policy engine 236 and multi-protocol compression logic 238. Inparticular, encryption engine 234 is configured to perform SSLprocessing of packets, policy engine 236 is configured to performfunctions related to traffic management such as request-level contentswitching and request-level cache redirection, and multi-protocolcompression logic 238 is configured to perform functions related tocompression and decompression of data.

The high speed layer 2-7 integrated packet engine 240 includes a packetprocessing timer 242. In one embodiment, the packet processing timer 242provides one or more time intervals to trigger the processing ofincoming, i.e., received, or outgoing, i.e., transmitted, networkpackets. In some embodiments, the high speed layer 2-7 integrated packetengine 240 processes network packets responsive to the timer 242. Thepacket processing timer 242 provides any type and form of signal to thepacket engine 240 to notify, trigger, or communicate a time relatedevent, interval or occurrence. In many embodiments, the packetprocessing timer 242 operates in the order of milliseconds, such as forexample 100 ms, 50 ms or 25 ms. For example, in some embodiments, thepacket processing timer 242 provides time intervals or otherwise causesa network packet to be processed by the high speed layer 2-7 integratedpacket engine 240 at a 10 ms time interval, while in other embodiments,at a 5 ms time interval, and still yet in further embodiments, as shortas a 3, 2, or 1 ms time interval. The high speed layer 2-7 integratedpacket engine 240 may be interfaced, integrated or in communication withthe encryption engine 234, cache manager 232, policy engine 236 andmulti-protocol compression engine 238 during operation. As such, any ofthe logic, functions, or operations of the encryption engine 234, cachemanager 232, policy engine 236 and multi-protocol compression logic 238may be performed responsive to the packet processing timer 242 and/orthe packet engine 240. Therefore, any of the logic, functions, oroperations of the encryption engine 234, cache manager 232, policyengine 236 and multi-protocol compression logic 238 may be performed atthe granularity of time intervals provided via the packet processingtimer 242, for example, at a time interval of less than or equal to 10ms. For example, in one embodiment, the cache manager 232 may performinvalidation of any cached objects responsive to the high speed layer2-7 integrated packet engine 240 and/or the packet processing timer 242.In another embodiment, the expiry or invalidation time of a cachedobject can be set to the same order of granularity as the time intervalof the packet processing timer 242, such as at every 10 ms.

In contrast to kernel space 204, user space 202 is the memory area orportion of the operating system used by user mode applications orprograms otherwise running in user mode. A user mode application may notaccess kernel space 204 directly and uses service calls in order toaccess kernel services. As shown in FIG. 2, user space 202 of appliance200 includes a graphical user interface (GUI) 210, a command lineinterface (CLI) 212, shell services 214, health monitoring program 216,and daemon services 218. GUI 210 and CLI 212 provide a means by which asystem administrator or other user can interact with and control theoperation of appliance 200, such as via the operating system of theappliance 200 and either is user space 202 or kernel space 204. The GUI210 may be any type and form of graphical user interface and may bepresented via text, graphical or otherwise, by any type of program orapplication, such as a browser. The CLI 212 may be any type and form ofcommand line or text-based interface, such as a command line provided bythe operating system. For example, the CLI 212 may comprise a shell,which is a tool to enable users to interact with the operating system.In some embodiments, the CLI 212 may be provided via a bash, csh, tcsh,or ksh type shell. The shell services 214 comprises the programs,services, tasks, processes or executable instructions to supportinteraction with the appliance 200 or operating system by a user via theGUI 210 and/or CLI 212.

Health monitoring program 216 is used to monitor, check, report andensure that network systems are functioning properly and that users arereceiving requested content over a network. Health monitoring program216 comprises one or more programs, services, tasks, processes orexecutable instructions to provide logic, rules, functions or operationsfor monitoring any activity of the appliance 200. In some embodiments,the health monitoring program 216 intercepts and inspects any networktraffic passed via the appliance 200. In other embodiments, the healthmonitoring program 216 interfaces by any suitable means and/ormechanisms with one or more of the following: the encryption engine 234,cache manager 232, policy engine 236, multi-protocol compression logic238, packet engine 240, daemon services 218, and shell services 214. Assuch, the health monitoring program 216 may call any applicationprogramming interface (API) to determine a state, status, or health ofany portion of the appliance 200. For example, the health monitoringprogram 216 may ping or send a status inquiry on a periodic basis tocheck if a program, process, service or task is active and currentlyrunning. In another example, the health monitoring program 216 may checkany status, error or history logs provided by any program, process,service or task to determine any condition, status or error with anyportion of the appliance 200.

Daemon services 218 are programs that run continuously or in thebackground and handle periodic service requests received by appliance200. In some embodiments, a daemon service may forward the requests toother programs or processes, such as another daemon service 218 asappropriate. As known to those skilled in the art, a daemon service 218may run unattended to perform continuous or periodic system widefunctions, such as network control, or to perform any desired task. Insome embodiments, one or more daemon services 218 run in the user space202, while in other embodiments, one or more daemon services 218 run inthe kernel space.

Referring now to FIG. 2B, another embodiment of the appliance 200 isdepicted. In brief overview, the appliance 200 provides one or more ofthe following services, functionality or operations: SSL VPNconnectivity 280, switching/load balancing 284, Domain Name Serviceresolution 286, acceleration 288 and an application firewall 290 forcommunications between one or more clients 102 and one or more servers106. In one embodiment, the appliance 200 comprises any of the networkdevices manufactured by Citrix Systems, Inc. of Ft. Lauderdale Fla.,referred to as Citrix NetScaler devices. Each of the servers 106 mayprovide one or more network related services 270 a-270 n (referred to asservices 270). For example, a server 106 may provide an http service270. The appliance 200 comprises one or more virtual servers or virtualinternet protocol servers, referred to as a vServer, VIP server, or justVIP 275 a-275 n (also referred herein as vServer 275). The vServer 275receives, intercepts or otherwise processes communications between aclient 102 and a server 106 in accordance with the configuration andoperations of the appliance 200.

The vServer 275 may comprise software, hardware or any combination ofsoftware and hardware. The vServer 275 may comprise any type and form ofprogram, service, task, process or executable instructions operating inuser mode 202, kernel mode 204 or any combination thereof in theappliance 200. The vServer 275 includes any logic, functions, rules, oroperations to perform any embodiments of the techniques describedherein, such as SSL VPN 280, switching/load balancing 284, Domain NameService resolution 286, acceleration 288 and an application firewall290. In some embodiments, the vServer 275 establishes a connection to aservice 270 of a server 106. The service 275 may comprise any program,application, process, task or set of executable instructions capable ofconnecting to and communicating to the appliance 200, client 102 orvServer 275. For example, the service 275 may comprise a web server,http server, ftp, email or database server. In some embodiments, theservice 270 is a daemon process or network driver for listening,receiving and/or sending communications for an application, such asemail, database or an enterprise application. In some embodiments, theservice 270 may communicate on a specific IP address, or IP address andport.

In some embodiments, the vServer 275 applies one or more policies of thepolicy engine 236 to network communications between the client 102 andserver 106. In one embodiment, the policies are associated with aVServer 275. In another embodiment, the policies are based on a user, ora group of users. In yet another embodiment, a policy is global andapplies to one or more vServers 275 a-275 n, and any user or group ofusers communicating via the appliance 200. In some embodiments, thepolicies of the policy engine have conditions upon which the policy isapplied based on any content of the communication, such as internetprotocol address, port, protocol type, header or fields in a packet, orthe context of the communication, such as user, group of the user,vServer 275, transport layer connection, and/or identification orattributes of the client 102 or server 106.

In other embodiments, the appliance 200 communicates or interfaces withthe policy engine 236 to determine authentication and/or authorizationof a remote user or a remote client 102 to access the computingenvironment 15, application, and/or data file from a server 106. Inanother embodiment, the appliance 200 communicates or interfaces withthe policy engine 236 to determine authentication and/or authorizationof a remote user or a remote client 102 to have the application deliverysystem 190 deliver one or more of the computing environment 15,application, and/or data file. In yet another embodiment, the appliance200 establishes a VPN or SSL VPN connection based on the policy engine's236 authentication and/or authorization of a remote user or a remoteclient 103 In one embodiment, the appliance 102 controls the flow ofnetwork traffic and communication sessions based on policies of thepolicy engine 236. For example, the appliance 200 may control the accessto a computing environment 15, application or data file based on thepolicy engine 236.

In some embodiments, the vServer 275 establishes a transport layerconnection, such as a TCP or UDP connection with a client 102 via theclient agent 120. In one embodiment, the vServer 275 listens for andreceives communications from the client 102. In other embodiments, thevServer 275 establishes a transport layer connection, such as a TCP orUDP connection with a client server 106. In one embodiment, the vServer275 establishes the transport layer connection to an internet protocoladdress and port of a server 270 running on the server 106. In anotherembodiment, the vServer 275 associates a first transport layerconnection to a client 102 with a second transport layer connection tothe server 106. In some embodiments, a vServer 275 establishes a pool oftransport layer connections to a server 106 and multiplexes clientrequests via the pooled transport layer connections.

In some embodiments, the appliance 200 provides a SSL VPN connection 280between a client 102 and a server 106. For example, a client 102 on afirst network 102 requests to establish a connection to a server 106 ona second network 104′. In some embodiments, the second network 104′ isnot routable from the first network 104. In other embodiments, theclient 102 is on a public network 104 and the server 106 is on a privatenetwork 104′, such as a corporate network. In one embodiment, the clientagent 120 intercepts communications of the client 102 on the firstnetwork 104, encrypts the communications, and transmits thecommunications via a first transport layer connection to the appliance200. The appliance 200 associates the first transport layer connectionon the first network 104 to a second transport layer connection to theserver 106 on the second network 104. The appliance 200 receives theintercepted communication from the client agent 120, decrypts thecommunications, and transmits the communication to the server 106 on thesecond network 104 via the second transport layer connection. The secondtransport layer connection may be a pooled transport layer connection.As such, the appliance 200 provides an end-to-end secure transport layerconnection for the client 102 between the two networks 104, 104′.

In one embodiment, the appliance 200 hosts an intranet internet protocolor intranetIP 282 address of the client 102 on the virtual privatenetwork 104. The client 102 has a local network identifier, such as aninternet protocol (IP) address and/or host name on the first network104. When connected to the second network 104′ via the appliance 200,the appliance 200 establishes, assigns or otherwise provides anIntranetIP, which is a network identifier, such as IP address and/orhost name, for the client 102 on the second network 104′. The appliance200 listens for and receives on the second or private network 104′ forany communications directed towards the client 102 using the client'sestablished IntranetIP 282. In one embodiment, the appliance 200 acts asor on behalf of the client 102 on the second private network 104. Forexample, in another embodiment, a vServer 275 listens for and respondsto communications to the IntranetIP 282 of the client 102. In someembodiments, if a computing device 100 on the second network 104′transmits a request, the appliance 200 processes the request as if itwere the client 102. For example, the appliance 200 may respond to aping to the client's IntranetIP 282. In another example, the appliancemay establish a connection, such as a TCP or UDP connection, withcomputing device 100 on the second network 104 requesting a connectionwith the client's IntranetIP 282.

In some embodiments, the appliance 200 provides one or more of thefollowing acceleration techniques 288 to communications between theclient 102 and server 106: 1) compression; 2) decompression; 3)Transmission Control Protocol pooling; 4) Transmission Control Protocolmultiplexing; 5) Transmission Control Protocol buffering; and 6)caching. In one embodiment, the appliance 200 relieves servers 106 ofmuch of the processing load caused by repeatedly opening and closingtransport layers connections to clients 102 by opening one or moretransport layer connections with each server 106 and maintaining theseconnections to allow repeated data accesses by clients via the Internet.This technique is referred to herein as “connection pooling”.

In some embodiments, in order to seamlessly splice communications from aclient 102 to a server 106 via a pooled transport layer connection, theappliance 200 translates or multiplexes communications by modifyingsequence number and acknowledgment numbers at the transport layerprotocol level. This is referred to as “connection multiplexing”. Insome embodiments, no application layer protocol interaction is required.For example, in the case of an in-bound packet (that is, a packetreceived from a client 102), the source network address of the packet ischanged to that of an output port of appliance 200, and the destinationnetwork address is changed to that of the intended server. In the caseof an outbound packet (that is, one received from a server 106), thesource network address is changed from that of the server 106 to that ofan output port of appliance 200 and the destination address is changedfrom that of appliance 200 to that of the requesting client 102. Thesequence numbers and acknowledgment numbers of the packet are alsotranslated to sequence numbers and acknowledgement expected by theclient 102 on the appliance's 200 transport layer connection to theclient 102. In some embodiments, the packet checksum of the transportlayer protocol is recalculated to account for these translations.

In another embodiment, the appliance 200 provides switching orload-balancing functionality 284 for communications between the client102 and server 106. In some embodiments, the appliance 200 distributestraffic and directs client requests to a server 106 based on layer 4 orapplication-layer request data. In one embodiment, although the networklayer or layer 2 of the network packet identifies a destination server106, the appliance 200 determines the server 106 to distribute thenetwork packet by application information and data carried as payload ofthe transport layer packet. In one embodiment, the health monitoringprograms 216 of the appliance 200 monitor the health of servers todetermine the server 106 for which to distribute a client's request. Insome embodiments, if the appliance 200 detects a server 106 is notavailable or has a load over a predetermined threshold, the appliance200 can direct or distribute client requests to another server 106.

In some embodiments, the appliance 200 acts as a Domain Name Service(DNS) resolver or otherwise provides resolution of a DNS request fromclients 102. In some embodiments, the appliance intercepts' a DNSrequest transmitted by the client 102. In one embodiment, the appliance200 responds to a client's DNS request with an IP address of or hostedby the appliance 200. In this embodiment, the client 102 transmitsnetwork communication for the domain name to the appliance 200. Inanother embodiment, the appliance 200 responds to a client's DNS requestwith an IP address of or hosted by a second appliance 200′. In someembodiments, the appliance 200 responds to a client's DNS request withan IP address of a server 106 determined by the appliance 200.

In yet another embodiment, the appliance 200 provides applicationfirewall functionality 290 for communications between the client 102 andserver 106. In one embodiment, the policy engine 236 provides rules fordetecting and blocking illegitimate requests. In some embodiments, theapplication firewall 290 protects against denial of service (DoS)attacks. In other embodiments, the appliance inspects the content ofintercepted requests to identify and block application-based attacks. Insome embodiments, the rules/policy engine 236 comprises one or moreapplication firewall or security control policies for providingprotections against various classes and types of web or Internet basedvulnerabilities, such as one or more of the following: 1) bufferoverflow, 2) CGI-BIN parameter manipulation, 3) form/hidden fieldmanipulation, 4) forceful browsing, 5) cookie or session poisoning, 6)broken access control list (ACLs) or weak passwords, 7) cross-sitescripting (XSS), 8) command injection, 9) SQL injection, 10) errortriggering sensitive information leak, 11) insecure use of cryptography,12) server misconfiguration, 13) back doors and debug options, 14)website defacement, 15) platform or operating systems vulnerabilities,and 16) zero-day exploits. In an embodiment, the application firewall290 provides HTML form field protection in the form of inspecting oranalyzing the network communication for one or more of the following: 1)required fields are returned, 2) no added field allowed, 3) read-onlyand hidden field enforcement, 4) drop-down list and radio button fieldconformance, and 5) form-field max-length enforcement. In someembodiments, the application firewall 290 ensures cookies are notmodified. In other embodiments, the application firewall 290 protectsagainst forceful browsing by enforcing legal URLs.

In still yet other embodiments, the application firewall 290 protectsany confidential information contained in the network communication. Theapplication firewall 290 may inspect or analyze any networkcommunication in accordance with the rules or polices of the engine 236to identify any confidential information in any field of the networkpacket. In some embodiments, the application firewall 290 identifies inthe network communication one or more occurrences of a credit cardnumber, password, social security number, name, patient code, contactinformation, and age. The encoded portion of the network communicationmay comprise these occurrences or the confidential information. Based onthese occurrences, in one embodiment, the application firewall 290 maytake a policy action on the network communication, such as preventtransmission of the network communication. In another embodiment, theapplication firewall 290 may rewrite, remove or otherwise mask suchidentified occurrence or confidential information.

C. Client Agent

Referring now to FIG. 3, an embodiment of the client agent 120 isdepicted. The client 102 includes a client agent 120 for establishingand exchanging communications with the appliance 200 and/or server 106via a network 104. In brief overview, the client 102 operates oncomputing device 100 having an operating system with a kernel mode 302and a user mode 303, and a network stack 310 with one or more layers 310a-310 b. The client 102 may have installed and/or execute one or moreapplications. In some embodiments, one or more applications maycommunicate via the network stack 310 to a network 104. One of theapplications, such as a web browser, may also include a first program322. For example, the first program 322 may be used in some embodimentsto install and/or execute the client agent 120, or any portion thereof.The client agent 120 includes an interception mechanism, or interceptor350, for intercepting network communications from the network stack 310from the one or more applications.

The network stack 310 of the client 102 may comprise any type and formof software, or hardware, or any combinations thereof, for providingconnectivity to and communications with a network. In one embodiment,the network stack 310 comprises a software implementation for a networkprotocol suite. The network stack 310 may comprise one or more networklayers, such as any networks layers of the Open Systems Interconnection(OSI) communications model as those skilled in the art recognize andappreciate. As such, the network stack 310 may comprise any type andform of protocols for any of the following layers of the OSI model: 1)physical link layer, 2) data link layer, 3) network layer, 4) transportlayer, 5) session layer, 6) presentation layer, and 7) applicationlayer. In one embodiment, the network stack 310 may comprise a transportcontrol protocol (TCP) over the network layer protocol of the internetprotocol (IP), generally referred to as TCP/IP. In some embodiments, theTCP/IP protocol may be carried over the Ethernet protocol, which maycomprise any of the family of IEEE wide-area-network (WAN) orlocal-area-network (LAN) protocols, such as those protocols covered bythe IEEE 802.3. In some embodiments, the network stack 310 comprises anytype and form of a wireless protocol, such as IEEE 802.11 and/or mobileinternet protocol.

In view of a TCP/IP based network, any TCP/IP based protocol may beused, including Messaging Application Programming Interface (MAPI)(email), File Transfer Protocol (FTP), HyperText Transfer Protocol(HTTP), Common Internet File System (CIFS) protocol (file transfer),Independent Computing Architecture (ICA) protocol, Remote DesktopProtocol (RDP), Wireless Application Protocol (WAP), Mobile IP protocol,and Voice Over IP (VoIP) protocol. In another embodiment, the networkstack 310 comprises any type and form of transport control protocol,such as a modified transport control protocol, for example a TransactionTCP (T/TCP), TCP with selection acknowledgements (TCP-SACK), TCP withlarge windows (TCP-LW), a congestion prediction protocol such as theTCP-Vegas protocol, and a TCP spoofing protocol. In other embodiments,any type and form of user datagram protocol (UDP), such as UDP over IP,may be used by the network stack 310, such as for voice communicationsor real-time data communications.

Furthermore, the network stack 310 may include one or more networkdrivers supporting the one or more layers, such as a TCP driver or anetwork layer driver. The network drivers may be included as part of theoperating system of the computing device 100 or as part of any networkinterface cards or other network access components of the computingdevice 100. In some embodiments, any of the network drivers of thenetwork stack 310 may be customized, modified or adapted to provide acustom or modified portion of the network stack 310 in support of any ofthe techniques described herein. In other embodiments, the accelerationprogram 120 is designed and constructed to operate with or work inconjunction with the network stack 310 installed or otherwise providedby the operating system of the client 102.

The network stack 310 comprises any type and form of interfaces forreceiving, obtaining, providing or otherwise accessing any informationand data related to network communications of the client 102. In oneembodiment, an interface to the network stack 310 comprises anapplication programming interface (API). The interface may also compriseany function call, hooking or filtering mechanism, event or call backmechanism, or any type of interfacing technique. The network stack 310via the interface may receive or provide any type and form of datastructure, such as an object, related to functionality or operation ofthe network stack 310. For example, the data structure may compriseinformation and data related to a network packet or one or more networkpackets. In some embodiments, the data structure comprises a portion ofthe network packet processed at a protocol layer of the network stack310, such as a network packet of the transport layer. In someembodiments, the data structure 325 comprises a kernel-level datastructure, while in other embodiments, the data structure 325 comprisesa user-mode data structure. A kernel-level data structure may comprise adata structure obtained or related to a portion of the network stack 310operating in kernel-mode 302, or a network driver or other softwarerunning in kernel-mode 302, or any data structure obtained or receivedby a service, process, task, thread or other executable instructionsrunning or operating in kernel-mode of the operating system.

Additionally, some portions of the network stack 310 may execute oroperate in kernel-mode 302, for example, the data link or network layer,while other portions execute or operate in user-mode 303, such as anapplication layer of the network stack 310. For example, a first portion310 a of the network stack may provide user-mode access to the networkstack 310 to an application while a second portion 310 a of the networkstack 310 provides access to a network. In some embodiments, a firstportion 310 a of the network stack may comprise one or more upper layersof the network stack 310, such as any of layers 5-7. In otherembodiments, a second portion 310 b of the network stack 310 comprisesone or more lower layers, such as any of layers 1-4. Each of the firstportion 310 a and second portion 310 b of the network stack 310 maycomprise any portion of the network stack 310, at any one or morenetwork layers, in user-mode 203, kernel-mode, 202, or combinationsthereof, or at any portion of a network layer or interface point to anetwork layer or any portion of or interface point to the user-mode 203and kernel-mode 203.

The interceptor 350 may comprise software, hardware, or any combinationof software and hardware. In one embodiment, the interceptor 350intercept a network communication at any point in the network stack 310,and redirects or transmits the network communication to a destinationdesired, managed or controlled by the interceptor 350 or client agent120. For example, the interceptor 350 may intercept a networkcommunication of a network stack 310 of a first network and transmit thenetwork communication to the appliance 200 for transmission on a secondnetwork 104. In some embodiments, the interceptor 350 comprises any typeinterceptor 350 comprises a driver, such as a network driver constructedand designed to interface and work with the network stack 310. In someembodiments, the client agent 120 and/or interceptor 350 operates at oneor more layers of the network stack 310, such as at the transport layer.In one embodiment, the interceptor 350 comprises a filter driver,hooking mechanism, or any form and type of suitable network driverinterface that interfaces to the transport layer of the network stack,such as via the transport driver interface (TDI). In some embodiments,the interceptor 350 interfaces to a first protocol layer, such as thetransport layer and another protocol layer, such as any layer above thetransport protocol layer, for example, an application protocol layer. Inone embodiment, the interceptor 350 may comprise a driver complying withthe Network Driver Interface Specification (NDIS), or a NDIS driver. Inanother embodiment, the interceptor 350 may comprise a mini-filter or amini-port driver. In one embodiment, the interceptor 350, or portionthereof, operates in kernel-mode 202. In another embodiment, theinterceptor 350, or portion thereof, operates in user-mode 203. In someembodiments, a portion of the interceptor 350 operates in kernel-mode202 while another portion of the interceptor 350 operates in user-mode203. In other embodiments, the client agent 120 operates in user-mode203 but interfaces via the interceptor 350 to a kernel-mode driver,process, service, task or portion of the operating system, such as toobtain a kernel-level data structure 225. In further embodiments, theinterceptor 350 is a user-mode application or program, such asapplication.

In one embodiment, the interceptor 350 intercepts any transport layerconnection requests. In these embodiments, the interceptor 350 executetransport layer application programming interface (API) calls to set thedestination information, such as destination IP address and/or port to adesired location for the location. In this manner, the interceptor 350intercepts and redirects the transport layer connection to a IP addressand port controlled or managed by the interceptor 350 or client agent120. In one embodiment, the interceptor 350 sets the destinationinformation for the connection to a local IP address and port of theclient 102 on which the client agent 120 is listening. For example, theclient agent 120 may comprise a proxy service listening on a local IPaddress and port for redirected transport layer communications. In someembodiments, the client agent 120 then communicates the redirectedtransport layer communication to the appliance 200.

In some embodiments, the interceptor 350 intercepts a Domain NameService (DNS) request. In one embodiment, the client agent 120 and/orinterceptor 350 resolves the DNS request. In another embodiment, theinterceptor transmits the intercepted DNS request to the appliance 200for DNS resolution. In one embodiment, the appliance 200 resolves theDNS request and communicates the DNS response to the client agent 120.In some embodiments, the appliance 200 resolves the DNS request viaanother appliance 200′ or a DNS server 106.

In yet another embodiment, the client agent 120 may comprise two agents120 and 120′. In one embodiment, a first agent 120 may comprise aninterceptor 350 operating at the network layer of the network stack 310.In some embodiments, the first agent 120 intercepts network layerrequests such as Internet Control Message Protocol (ICMP) requests(e.g., ping and traceroute). In other embodiments, the second agent 120′may operate at the transport layer and intercept transport layercommunications. In some embodiments, the first agent 120 interceptscommunications at one layer of the network stack 210 and interfaces withor communicates the intercepted communication to the second agent 120′.

The client agent 120 and/or interceptor 350 may operate at or interfacewith a protocol layer in a manner transparent to any other protocollayer of the network stack 310. For example, in one embodiment, theinterceptor 350 operates or interfaces with the transport layer of thenetwork stack 310 transparently to any protocol layer below thetransport layer, such as the network layer, and any protocol layer abovethe transport layer, such as the session, presentation or applicationlayer protocols. This allows the other protocol layers of the networkstack 310 to operate as desired and without modification for using theinterceptor 350. As such, the client agent 120 and/or interceptor 350can interface with the transport layer to secure, optimize, accelerate,route or load-balance any communications provided via any protocolcarried by the transport layer, such as any application layer protocolover TCP/IP.

Furthermore, the client agent 120 and/or interceptor may operate at orinterface with the network stack 310 in a manner transparent to anyapplication, a user of the client 102, and any other computing device,such as a server, in communications with the client 102. The clientagent 120 and/or interceptor 350 may be installed and/or executed on theclient 102 in a manner without modification of an application. In someembodiments, the user of the client 102 or a computing device incommunications with the client 102 are not aware of the existence,execution or operation of the client agent 120 and/or interceptor 350.As such, in some embodiments, the client agent 120 and/or interceptor350 is installed, executed, and/or operated transparently to anapplication, user of the client 102, another computing device, such as aserver, or any of the protocol layers above and/or below the protocollayer interfaced to by the interceptor 350.

The client agent 120 includes an acceleration program 302, a streamingclient 306, and/or a collection agent 304. In one embodiment, the clientagent 120 comprises an Independent Computing Architecture (ICA) client,or any portion thereof, developed by Citrix Systems, Inc. of FortLauderdale, Fla., and is also referred to as an ICA client. In someembodiments, the client 120 comprises an application streaming client306 for streaming an application from a server 106 to a client 102. Insome embodiments, the client agent 120 comprises an acceleration program302 for accelerating communications between client 102 and server 106.In another embodiment, the client agent 120 includes a collection agent304 for performing end-point detection/scanning and collecting end-pointinformation for the appliance 200 and/or server 106.

In some embodiments, the acceleration program 302 comprises aclient-side acceleration program for performing one or more accelerationtechniques to accelerate, enhance or otherwise improve a client'scommunications with and/or access to a server 106, such as accessing anapplication provided by a server 106. The logic, functions, and/oroperations of the executable instructions of the acceleration program302 may perform one or more of the following acceleration techniques: 1)multi-protocol compression, 2) transport control protocol pooling, 3)transport control protocol multiplexing, 4) transport control protocolbuffering, and 5) caching via a cache manager. Additionally, theacceleration program 302 may perform encryption and/or decryption of anycommunications received and/or transmitted by the client 102. In someembodiments, the acceleration program 302 performs one or more of theacceleration techniques in an integrated manner or fashion.Additionally, the acceleration program 302 can perform compression onany of the protocols, or multiple-protocols, carried as a payload of anetwork packet of the transport layer protocol.

The streaming client 306 comprises an application, program, process,service, task or executable instructions for receiving and executing astreamed application from a server 106. A server 106 may stream one ormore application data files to the streaming client 306 for playing,executing or otherwise causing to be executed the application on theclient 102. In some embodiments, the server 106 transmits a set ofcompressed or packaged application data files to the streaming client306. In some embodiments, the plurality of application files arecompressed and stored on a file server within an archive file such as aCAB, ZIP, SIT, TAR, JAR or other archive. In one embodiment, the server106 decompresses, unpackages or unarchives the application files andtransmits the files to the client 102. In another embodiment, the client102 decompresses, unpackages or unarchives the application files. Thestreaming client 306 dynamically installs the application, or portionthereof, and executes the application. In one embodiment, the streamingclient 306 may be an executable program. In some embodiments, thestreaming client 306 may be able to launch another executable program.

The collection agent 304 comprises an application, program, process,service, task or executable instructions for identifying, obtainingand/or collecting information about the client 102. In some embodiments,the appliance 200 transmits the collection agent 304 to the client 102or client agent 120. The collection agent 304 may be configuredaccording to one or more policies of the policy engine 236 of theappliance. In other embodiments, the collection agent 304 transmitscollected information on the client 102 to the appliance 200. In oneembodiment, the policy engine 236 of the appliance 200 uses thecollected information to determine and provide access, authenticationand authorization control of the client's connection to a network 104.

In one embodiment, the collection agent 304 comprises an end-pointdetection and scanning mechanism, which identifies and determines one ormore attributes or characteristics of the client. For example, thecollection agent 304 may identify and determine any one or more of thefollowing client-side attributes: 1) the operating system an/or aversion of an operating system, 2) a service pack of the operatingsystem, 3) a running service, 4) a running process, and 5) a file. Thecollection agent 304 may also identify and determine the presence orversions of any one or more of the following on the client: 1) antivirussoftware, 2) personal firewall software, 3) anti-spam software, and 4)internet security software. The policy engine 236 may have one or morepolicies based on any one or more of the attributes or characteristicsof the client or client-side attributes.

In some embodiments and still referring to FIG. 3, a first program 322may be used to install and/or execute the client agent 120, or portionthereof, such as the interceptor 350, automatically, silently,transparently, or otherwise. In one embodiment, the first program 322comprises a plugin component, such an ActiveX control or Java control orscript that is loaded into and executed by an application. For example,the first program comprises an ActiveX control loaded and run by a webbrowser application, such as in the memory space or context of theapplication. In another embodiment, the first program 322 comprises aset of executable instructions loaded into and run by the application,such as a browser. In one embodiment, the first program 322 comprises adesigned and constructed program to install the client agent 120. Insome embodiments, the first program 322 obtains, downloads, or receivesthe client agent 120 via the network from another computing device. Inanother embodiment, the first program 322 is an installer program or aplug and play manager for installing programs, such as network drivers,on the operating system of the client 102.

D. IIP Addressing Environment

Referring now to FIG. 4, an embodiment of an environment for providingIntranet Internet Protocol (IIP) addresses to users and/or clients isdepicted. The IIP addressing environment provided by the appliance 200and/or client 102 may be used for: 1) assigning, based on policy,temporal and/or status information, an IIP address 282 to a user from aplurality of IIP addresses designated to the user for accessing anetwork via the appliance, 2) providing an IIP address 282 assigned tothe user to an application on a client requesting resolution of theinternet protocol address of the client 102, and 3) providing amechanism to determine the IIP address 282 assigned to the user via aconfigurable user domain name associated with the user's IIP address282.

In brief overview, the appliance 200 provides an IIP pool 410 of IIPaddresses 282A-282N to be assigned and/or used by one or more users. TheIIP pool 410 may include a pool 412 of free or unassigned IIP addresses,i.e. a free pool 413, a pool 414 of IIP addresses that may be reclaimed,i.e., a reclaim pool 414, and/or a pool 416 of IIP addresses that may beassigned via transfer, i.e., a transfer pool 416, such as via thetransfer of a session 445, e.g., a SSL VPN session provided by theappliance 200. In some embodiments, if an IIP address 282 is notavailable from the IIP pool 410, then a mapped IP (MIP) 440 may be usedto provide a client or a user an IIP address 282. For mapped IP, theappliance 200 intercepts an incoming client's IP and replaces it with aMIP address. Any servers sitting behind the appliance 200 see a MIPinstead of a the client's actual IP address in the IP header field oftraffic directed to them.

A set of one or more IIP addresses 282A-282N may be designated for orassociated with a user. In one embodiment, the appliance 200 via an IIPpolicy 420 provides a user with an IIP address from a plurality of IIPaddresses 282A-282N designated for the user. For example, the IIP policy420 may indicate to provide the user with the most recently used IIPaddress 282 of the user. The appliance 200 includes a database or table450 for maintaining an association of IIP addresses 286 to entities,such as users.

In additional overview, the appliance 200 provides a mechanism forquerying the IIP address 282 assigned to and/or used by the user. Theappliance 200 may be configured with a user domain name policy 430specifying a domain suffix 435 to associate with an identifier of theuser. For example, the domain name policy 430 may indicate to append thedomain suffix “mycompany.com” 435 to a user identifier, such as the userid of the user when logged into the appliance 200 or network 104′. As aresult, in some embodiments, the appliance 200 associates the userdomain name 437 of <user id>.<domain suffix>, e.g.,“userA.mycompany.com” with the IIP address assigned to the user. Theappliance 200 may store in the domain name service (DNS) 286, or DNScache the user domain name 437 in association with the IIP address 282The appliance 200 can resolve any DNS queries or ping commands based onthe user domain name 437 by providing the associated IIP address 232.

In further overview, the client agent 120 provides a mechanism by whichthe IIP address 282 is provided to an application. The client agent 120includes an interception or hooking mechanism 350 for intercepting anyapplication programming interface (API) calls of the application relatedto determining or resolving the internet protocol address of the client102, such as for example, gethostbyname. Instead of providing theinternet protocol address of the client 102 identified in the networkstack 310, e.g., the IP address of the client on network 104, the clientagent 120 provides the IIP address 282 assigned to the user via theappliance 200, such as the IIP address 282 of the client 102 or user ofthe client 102 on the second network 104′ connected from the client 102on a first network 104 via a SSL VPN connection of the appliance.

In more detail, the appliance 200 provides an IIP address 282 to a useror the client of the user. In one embodiment, the IIP address 282 is theinternet protocol address of the user, or the client used by the user,for communications on the network 104′ accessed via the appliance 200.For example, the user may communicate on a first network 104 via anetwork stack 310 of a client 102 that provides an internet protocol(IP) address for the first network 104, such as for example,200.100.10.1. From client 102 on the first network 104, the user mayestablish a connection, such as an SSL VPN connection, with a secondnetwork 104′ via the appliance 200. The appliance 200 provides an IIPaddress 282 for the second network 104′ to the client and/or user, suchas 192.10.1.1. Although the client 102 has an IP address on the firstnetwork 104 (e.g., 200.100.10.1), the user and/or client has an IIPaddress 282 or second network IP address (e.g., 192.10.1.1) forcommunications on the second network 104′. In one embodiment, the IIPaddress 282 is the internet protocol address assigned to the client 102on the VPN, or SSL VPN, connected network 104′. In another embodiment,the appliance 200 provides or acts as a DNS 286 for clients 102communicating via the appliance 200. In some embodiments, the appliance200 assigns or leases internet protocol addresses, referred to as IIPaddresses 282, to client's requesting an internet protocol address, suchas dynamically via Dynamic Host Configuration Protocol (DHCP).

The appliance 200 may provide the IIP address 282 from an IIP pool 410of one or more IIP addresses 282A-282N. In some embodiments, theappliance 200 obtains a pool of internet protocol addresses on network104′ from a server 106 to use for the IIP pool 410. In one embodiment,the appliance 200 obtains an IIP address pool 410, or portion thereof,from a DNS server 406, such as one provided via server 106. In anotherembodiment, the appliance 200 obtains an IIP address pool 410, orportion thereof, from a Remote Authentication Dial In User Service,RADIUS, server 408, such as one provided via server 106. In yet anotherembodiment, the appliance 200 acts as a DNS server 286 or provides DNSfunctionally 286 for network 104′. For example, a vServer 275 may beconfigured as a DNS 286. In these embodiments, the appliance 200 obtainsor provides an IIP pool from the appliance provided DNS 286.

The appliance 200 may designate, assign or allocate IIP addresses forany of the following entities: 1) user, 2) group, 3) vServer, and d)global. In some embodiments, the IIP pool 410 may be designated or usedfor assigning IIP addresses 286 to users. In other embodiments, IIP pool410 may include IIP addresses 286 to be assigned to or used by servicesof the appliance 200, such as vServers 275. In other embodiments, IIPpool 410 may include IIP addresses 286 to be assigned to or used byglobal or group entities of the appliance 200. In one embodiment, theIIP pool 410 may comprise a single pool of IIP addresses. In anotherembodiment, the IIP pool 410 may comprise multiple pools or sub-pools ofIIP addresses. In some embodiments, the IIP pool 410 comprises a freeIIP pool 412. In other embodiments, the IIP pool 410 comprises areclaimed IIP pool 414. In yet another embodiment, the IIP pool 410comprises a transfer IIP pool 416. In some embodiments, the IIP pool 410comprises any combination of a free IIP pool 412, a reclaimed IIP pool414 and/or a transfer IIP pool 416. In one embodiment, the free IIP pool413 comprises IP addresses which are available for usage. In someembodiments, the reclaimed IIP pool 414 comprises IP addresses which areassociated with an entity, such as a user, group or vServer, but areinactive and available for usage. In other embodiments, the transfer IIPpool 416 comprises IP addresses that are active but can be madeavailable through a transfer login or transfer session process.

In some embodiments, the appliance 200 may list or enumerate internetprotocol addresses used for IIP addresses in the IIP pool 410, or insome embodiments, any of the sub-pools 412, 414, 416, in an order orpriority. In some embodiments, the appliance 200 enumerates or lists theIIP addresses of a pool according to the following scheme: 1) user, 2)group, 3) vServer, and d) global. In one embodiment, the appliance 200provides an IIP address from an IIP pool 410 for assignment based on theorder or priority. For example, the appliance 200 may try to obtain afree IIP address from the user associated IP free pool 412 first. If anIIP address is not available from the user portion of the pool, theappliance 200 may then try to obtain a free IIP address from the groupportion of the pool 412, and so on, via the vServer and global portionsof the pool until an IIP address can be assigned. Likewise, theappliance 200 may prioritize the sub-pools 412, 414, and 416, in anyorder or combination, to search for IIP addresses to assign. Forexample, the appliance 200 may first search the free IIP pool 412, thenthe reclaimed IIP pool 416 and then the transfer IIP pool 416 for IIPaddresses.

The appliance 200 may comprise any type and form of database or table450 for associating, tracking, managing or maintaining the designation,allocation and/or assignment of IIP addresses to a 1) user, 2) group, 3)vServer, and/or d) global entities from the IIP pool 410. In oneembodiment, the appliance 200 implements an Internet Protocol LightWeight Database Table (IPLWDB) 450. In some embodiments, the IPLWDB 450maintains entries which provide a one-to-one mapping of an IP addresswith or to an entity. In another embodiment, once an entity uses or isassigned an IIP address 282, the IPLWDB maintains the associationbetween the entity and IIP address, which may be referred to as “IIPstickiness” or having the IIP address “stuck” to an entity. In oneembodiment, IIP stickiness refers to the ability or effectiveness of theappliance 200 to maintain or hold the association between the entity andthe IIP address. In some embodiments, IIP stickiness refers to theability or effectiveness of the appliance 200 to maintain the entity/IIPaddress relationship or assignment via any changes in the system, suchas a user logging in and out of the appliance, or changing accesspoints. In some embodiments, the IPLWDB 450 comprises a hash table,which is hashed based on any one or more of the 1) user, 2) group, 3)vServer, and/or d) global entities. The IPLWDB 450 may comprise a hashof the user and any other information associated with the user, such asclient 102, or network 104 of client 104.

The IPLWDB 450 may track, manage or maintain any status and temporalinformation related to the IIP address/entity relationship. In oneembodiment, the IPLWDB 450 maintains if the IIP address for the entityis currently active or inactive. For example, in some embodiments, theIPLWDB 450 identifies an IIP address 282 as active if it is currentlyused in an SSL VPN session via the appliance 200. In another embodiment,the IPLWDB 450 maintains temporal data for the IIP address use by theentity: such as when first used, when last used, how long has been used,and when most recently used. In other embodiments, the IPLWDB 450maintains information on the type or source of usage, such as, in thecase of user, what client 102 or network 104 used from, or for whattransactions or activities were performed using the assigned IIPaddress.

In some embodiments, the IPLWDB 450 tracks, manages and maintainsmultiple IIP addresses used by an entity. The IPLWDB 450 may use one ormore IIP policies 420 for determining which IIP address of a pluralityof IIP addresses to assign or provide to an entity, such as a user. Inone embodiment, the IIP policy 420 may specify to provide for assignmentthe most recently or last used IIP address of the user. In someembodiments, the IIP policy 420 may specify to provide for assignmentthe most used IIP address of the user. In other embodiments, the IIPpolicy 420 may specify to provide the least used IIP address of theuser. In another embodiment, the IIP policy 420 may specify the order orpriority for which to provide IP addresses of the user, for example,from the most recent to least recent. In yet another embodiment, the IIPpolicy 420 may specify which IIP pool 410 or sub-pool 412, 414, 416 touse, and/or in which order. In some embodiments, the IIP policy 420 mayspecify whether or not to use a mapped IP address, and under whatconditions, such as when an inactive IIP address of the user is notavailable. In other embodiments, the IIP policy 420 may specify whetheror not to transfer a session or login of the user, and under whatconditions.

In some embodiments, the appliance 200 can be configured to bind or makethe association of one or more IIP addresses 282 to an entity, such as auser. For example, in some embodiments, the associations in IPLWDB 450are updated or maintained via bind and unbind commands via the appliance200. In one embodiment, the following command can be issued to theappliance 200 via a command line interface (CLI) 212 or GUI 210:

bind aaa user <user-name>[-intranetip <ip_addr>] [<netmask>]

For example, if an administrator of the appliance 200 intends toassociate the IIP addresses 282 of 10.102,4,189, 10.102.4.1 and10.102.4.2 with a user “nsroot”, then the administrator may issue thefollowing commands:

bind aaa user nsroot-intranetip 10.102.4.189 255.255.255.255

bind aaa user nsroot-intranetip 10.102.4.0 255 255.255.255.252

In one embodiment, the netmask value provides a mechanism for assigninga range of IIP addresses to a user. In some embodiments, the netmaskvalue is optional and the default is 255.255.255.255. For example, thefollowing commands are equivalent:

bind aaa user nsroot-intranetip 10.102.4.189

bind aaa user nsroot-intranetip 10.102.4.189 255.255.255.255

Likewise, the administrator 200 or other user may disassociate an IIPaddress with an entity, such as a user, via an unbind command. In someembodiments, the unbind command may have similar format as the bindcommand. In one embodiment, if the IIP address is active, the bind orunbind command will not be processed. In other embodiments, if the IIPaddress is active, the appliance transmits a reset (RST) command to allthe client and server connections associated with the active session,and then proceeds to make any changes associated with the issued bind orunbind command. In another embodiment, the appliance 200 updates theassociated client and server connections with any updated IIP addressinformation. In one embodiment, the appliance 200 re-establishes theassociated client and server connections with the changed IIP address.

In some embodiments, the appliance 200 provides a mechanism and/ortechnique for determining the IIP address 282 of a user. In oneembodiment, the appliance 200 is configured via a user domain namepolicy 430, which provides information on specifying a user domain 437.In one embodiment, the user domain policy 430 specifies a domain suffix435 to be used in forming the user domain 437. For example, the userdomain policy 430, in some embodiments, may be specified by thefollowing command:

add vpn sessionaction <name>[-httpPort <port> . . . ] [-winsIP<ip_addr>] . . .

. . .

[-homepage <URL>] [-iipdnssuffix <string>]

In one embodiment, the iipdnssuffix 435 specifies a string, such as adomain name, that will be appended to the user id/name to form a userdomain name 437. The user id may be the login name of the user, an aliasor nickname of the user, or any user identification associated with theuser's profile. In one embodiment, the domain suffix 435 identifies thedomain name of the network 104 or network 104′. In other embodiments,the domain suffix 435 may comprise a domain name or host name of theappliance 200. In yet other embodiments, the domain suffix 435 may beany desired, predetermined or custom string for identifying the userdomain name 437.

In the case of a user having multiple IIP addresses 282 activeconcurrently, the user domain name policy 430 may specify an instanceidentifier or any other character or symbol to differentiate between afirst instance and a second instance of a VPN session of the user. Forexample, the policy 430 may specify to include a number after the userid, such as <userid><Instance Number> or <userid>_<#>. In otherembodiments, the policy 430 specifies to only associate or provide asingle user domain name 437 for a user. For example, in one embodiment,the user domain name 437 is associated with the first session. In otherembodiments, the user domain name 437 is associated with the most recentsession.

Although the user domain policy 430 is described as providing a domainsuffix 435 to a user identifier to form the user domain name 437, theuser domain policy 430 may specify any portion of the user domain name437. For the example, the user domain policy 430 may specify the formatfor the user identifier or which type of user id to use, such as anidentified portion of the user's profile. In some embodiments, bydefault, the domain suffix 435 may be the same domain name as thenetwork 104. In another embodiment, the user domain policy 430 mayspecify a format for or additions or modifications to the domain name ofthe network 104 in providing the user domain name 437.

When a user logs in and gets assigned an IIP address 282, the appliance200 stores a record associating the user id/name, or user domain name437, and IIP address 282. In some embodiments, the appliance 200 storesthe record in DNS 286, or a DNS cache, on the appliance 200. In anotherembodiment, the appliance 200 stores the record in a DNS 406 on server106. In other embodiments, the appliance 200 stores the record in theIPLWDB 450. The appliance 200 can query a DNS with the user domain name437 and obtain the assigned IIP address 286. A user logged into theappliance 200 via SSL VPN get the IIP address of another user by usingDNS instead of having to remember the IP address. For example, a user onclient 102 can ping the IIP address of another user. The client agent120 can intercept such requests and query the DNS 286 of the appliance200 to determine the IIP address 282 assigned the user domain name. Insome embodiments, without logging into the appliance 200 via SSLVPN, aclient can query the IIP address 282 of a user by sending a DNS queryrequest to the DNS 286 of the appliance 200.

In some embodiments, the client agent 120 provide an interception orhooking mechanism 350 for intercepting any requests for the local IPaddress of the client 102, and returning or replying with an IIP address282, such as the IIP address 282 assigned to the user. In someembodiments, the hooking mechanism 350 may include any of the mechanismsof the interceptor 350 described above in conjunction with FIG. 3. Inother embodiments, the hooking mechanism 350 may include any type andform of hooking mechanism 350, such as application level hook procedureor function. In one embodiment and by way of example, the hookingmechanism 350 comprises any of the Windows API calls for setting aapplication hooking procedure, such as via the SetWindowsHookEx APIcall. In some embodiments, the SetWindowsHookEx function installs anapplication-defined hook procedure into a hook chain.

Depending on the operating system of the client 102, the client agent120 may use the corresponding APIs of the OS to install, add, modify oruse a hook procedure 350 to hook or intercept messages of anapplication. A hook procedure 350 may be installed to monitor the systemfor certain types of events, which are associated either with a specificthread or with all threads in the same space as the calling thread. Inone embodiment, a hook, such as hooking mechanism 350, is a point in thesystem message-handling mechanism where an application, such as theclient agent 120, can install a subroutine to monitor the messagetraffic in the system and process certain types of messages before themessages reach the target processing function. In some embodiments, thehooking mechanism 350 may intercept or hook any of the followingfunction calls or messages of an application: gethostbyname,getaddrinfo, and getsockname. In other embodiments, the hookingmechanism 350 may hook any of the Windows Socket API extensions such asWSAIoctl, WSALookupServiceBegin, WSALookupServiceNext, andWSALookupServiceEnd.

In one embodiment, the client agent 120 transmits a request to theappliance 200 to determine the IIP address 282 of the host nameintercepted by the hooking mechanism 350. In some embodiments, theappliance 200 looks up the corresponding IIP address 282 of the hostname of the client 102 in a DNS, such as DNS 286 on appliance 200 or DNS406 on a server. In other embodiments, the client agent 120 uses theuser domain name 437 of the user associated with the application to pingor DNS query the IIP address 282. In some embodiments, the client agent120 transmits the local IP address of the client 102 and the appliance200 queries the corresponding IIP address 282. In one embodiment, theappliance 200 stores the name of the client 102 in association with theuser and/or IIP address in the IPLWDB 450. In other embodiments, theclient agent 120 has cached the IIP address of the user or client 102,and thus, does not need to query the appliance 200. For example, uponestablishment of a SSL VPN connection, the appliance 200 may transmitthe IIP address 282 to the client 102. With the hooking mechanism 350,instead of providing the client's local IP address (the client's addresson the first network 104), the client agent 120 provides the IIP address282 of the client (the client's or user's address on the second network104′).

In some embodiments, the hooking mechanism 350 of the client agent 120is used to return the IIP address for supporting the transparent andseamless use of online collaboration tools via SSL VPN connections. Inone embodiment, the application is a NetMeeting application manufacturedby the Microsoft Corporation of Redmond, Wash. In some embodiments, anyof the applications 230 may comprise any type of hosted service orproducts, such as GoToMeeting™ provided by Citrix Online Division, Inc.of Santa Barbara, Calif., WebEx™ provided by WebEx, Inc. of Santa Clara,Calif., or Microsoft Office LiveMeeting provided by MicrosoftCorporation of Redmond, Wash. With the hooking mechanism 350 providingthe IIP address 282 assigned to the client via the SSL VPN connection,the application does not need to be modified to work as designed via theSSL VPN session. The hooking mechanism 350 provides the IIP address 282of the client 102 or user if the client 102 instead of the local IPaddress when making a request to get the IP address of the client 102.

E. IIP Address “Stickiness” to a User

Referring now to FIG. 5, an embodiment of steps of a method 500 forassigning an IIP address 282 to a user is depicted. In one embodiment,the method 500 is practiced to provide IIP address stickiness for auser. In some embodiments, an SSL VPN user may login and logout of theappliance 200 multiple times from different computers. For example, theuser may roam from computing device to computing device or switch fromone location to another. In some example, an SSL VPN user may be on amobile device and have the network connectivity disrupted causing thedevice to re-establish the SSL VPN connection. With the techniquesdepicted by method 500, the SSL VPN user may get assigned the same IIPaddress 282 for each of those sessions. In some embodiments, theappliance 200 may be configured with policies 420 specifying what IIPaddress 282 should be assigned to a user.

In brief overview of method 500, at step 505, the appliance 200designates a plurality of IIP address 282A-292N to a user, such as anSSL VPN user, from a pool 410 of IIP addresses. At step 510, theappliance 200 receives a request from a client 102 operated by the userto establish a connection via the appliance 200 to a network 104′, suchas an SSL VPN connection. At step 515, the appliance 200 assigns to theclient or the user an IIP address 282 on network 104′ from the IIPaddress pool 410. The appliance 200 may make the assignment based onpolicy 420, temporal information or the status of any of the designatedIIP addresses 282A-282N for the user. For example, in one embodiment,the appliance 200 assigns the most recently used IIP address 282 of theuser to the client 102. At step 525, in some embodiments, the appliance200 determines whether to provide a mapped IP or to transfer a session.For example, if an inactive IIP address 282 is not available forassigning to the user, the appliance 200 may opt to use a MIP address atstep 530 or to request the user to transfer an active session to thecurrent request at step 535.

In further detail, at step 505, the appliance 200 may designate orallocate any set of one or more IIP addresses 282A-282N for a user. Insome embodiments, the appliance 200 designates one IIP address 282. Inother embodiments, the appliance 200 designates up to a predeterminednumber of multiple IIP addresses 282A-282N for the user, such as 2, 3,4, 5, 6, 7, 9, 10, 15, 20 or 26 IIP addresses. In one embodiment, themultiple IIP addresses 282A-228N comprise a continuous range of IPaddresses on network 104′, for example, IP addresses 200.10.1.1 to200.20.1.10. In another embodiment, the multiple IIP addresses 282A-282Ncomprises any set of IP addresses on network 104′ that are notsubsequent to each other. In yet another embodiment, the multiple IIPaddresses 282A-282N are any combination of subsequent IP address rangesand single or separate IP addresses.

In one embodiment, the appliance 200 obtains a set of internet protocoladdresses from a DNS for the network 104′ accessed via the appliance200. For example, the appliance 200 may obtain a set of IP addresses forthe intranet from a DNS server 406 or a RADIUS server 508. In anotherexample, the appliance 200 may provide or act as a DNS 286 and allocatethe IP addresses for the intranet. In some embodiments, one or more IIPaddresses 282A-282N may be associated or designated with a user via abind or similar command issued at the CLI 212 or GUI 210 of theappliance 200. In other embodiments, the appliance 200 may obtain from aDNS IP addresses 282A-282N on network 104's that are associated with auser. In some embodiments, the appliance 200 designates a portion of thefree IIP pool 412 to the user. In other embodiments, the appliance 200may designate or reclaim a portion of the reclaim IIP pool 414 to theuser.

At step 510, the user via client 102 transmits a request to theappliance 200 to establish a connection to the network 104′. In someembodiments, the appliance 200 identifies the user from the request. Inother embodiments, the appliance 200 identifies the user from receipt oflogin or authentication credentials. For example, in some embodiments,the user submits a user id and password via a URL or web-page of theappliance 200. In one embodiment, the client agent 120 requests toestablish a tunnel connection with the appliance 200 using any type andform of tunneling protocol. In another embodiment, the client agent 120requests to establish a virtual private network connection via theappliance 200 to a network 104. For example, the client agent 120 mayestablish a virtual private network connection with the appliance 200 toconnect the client 102 on the first network 104 to a second network104′. In some embodiments, the client agent 120 establishes a SSL VPNconnection with the appliance 200. In yet another embodiment, the clientagent 120 establishes a tunnel or virtual private network connectionusing Transport Layer Secure (TLS) protocol. In one embodiment, theclient agent 120 requests to establish a tunnel connection using theCommon Gateway Protocol (CGP) manufactured by Citrix Systems, Inc. ofFt. Lauderdale, Fla.

At step 515, the appliance 200, in response to receiving the requestfrom the user or the client 102, assigns an IIP address 282 on thesecond network 104′ from the designated set of IIP addresses 282A-282Nof the user. In one embodiment, the appliance 200 determines the IIPaddress 282 to assign based on an IIP policy 420. For example, in someembodiments to maintain IIP stickiness, the appliance 200 via IIP policy420 determines the most recently used IIP address 282 of the user. Inother embodiments to maintain IIP stickiness, the appliance 200 viainformation tracked by the IPLWDB 450 determines the most used IIPaddress 282 of the user from the set of IIP addresses 282A-282N. In someembodiments, in the case of one or more active SSL VPN sessions, theappliance 200 determines the next most recently used or most used IIPaddress 282 of the user. In yet other embodiments, the appliance 200determines an appropriate, desired or policy-driven IIP address 282 toassign the user from the designated set of user IIP addresses 282A-282Nby any combination of policy 435, status of sessions associated with theuser's IIP addresses 282A-282N, and temporal information of sessionsassociated with the user's IIP addresses 282A-282N.

In one embodiment, the appliance 200 may use any sub-pool 412, 414 or416 of the IP pool 410 to assign an IIP address 282 to the user. In someembodiment, the free IIP pool 412 may not have an available IIP addressof the user. For example, all the IIP addresses of the user are markedas active or already assigned to a session. As such, in theseembodiments, the appliance 200 may search the reclaim IIP pool 414 forany IIP addresses of the user assigned but available to reclaim. Instill another embodiment, the appliance 200 may search the transfer IIPpool 416 for any IIP addresses of the user. In yet other embodiments,the appliance 200 may search any designated allocations or pools forgroup, global or vServer IIP addresses for an IP address that may bedesignated and assigned for the user or otherwise provided as a mappedIP address. In some embodiments, the appliance 200 searches portions ofthe IP pool 410 for IIP addresses of the user in an ordered orprioritized manner, such as the free IIP pool 412, first, the reclaimIIP pool 414, second and the transfer IIP pool 416 third. In oneembodiment, the search order or priority may be specified by a policy420.

In many embodiments, the appliance 200 provides a previously assignedIIP address 282 of the user from the free IIP pool 412 or the reclaimIIP pool 414. In some embodiments, the appliance 200 provides the userwith the most recently or last assigned IIP address to provide IIPstickiness. However, at step 525, in some embodiments, the appliance 200determines whether to provide a mapped IP 440 or a transfer session 445.In some embodiments, an IIP policy 420 specifies whether to use a mappedIP 440 or a transfer session 445 in cases of the appliance 200 notfinding an available IIP address 282 of the user from the free IIP pool412 and/or the reclaimed IIP pool 414. In other embodiments, an IIPpolicy 420 may specify to use a Mapped IP 440 in cases of the appliance200 not finding an inactive IIP address in any pool 410, or an availableIIP address in the free IIP pool 412. In one embodiment, if the IIPpolicy 420 specifies to use a Mapped IP 440 at step 525, then, at step530 provides a Mapped IP 440 instead of using an assigned IIP address272.

In the cases of using a Mapped IP 440, the appliance 200 modifies anypackets to and from the client 102 with an IIP address 282 of thenetwork 104′. For example, instead of assigning the user a userdesignated IIP address 282, the appliance 200 may use any available IIPaddress of the IIP pool 410, such as a globally available IIP address.The appliance 200 may modify the packets transmitted from the client 102to have this mapped IP 440 when transmitted from the appliance 200 to aserver 106. Also, in some embodiments, the appliance 200 may modifypackets transmitted from the server 106 to the client 102 to change theMapped IP 440 to the IP address of the client 102, such as the IPaddress of the client 102 on the first network 104. In some embodiments,the appliance 200 stores in the IPLWDB 450 the association of the mappedIP 440 to the user and/or client 102.

In another embodiment, if the IIP policy 420 specifies to use a transfersession 445 at step 525, then, at step 535, the appliance 200 initiatesa transfer of an active session of the user. In one embodiment, uponreceiving, by the appliance 200, a request from a first client operatedby a user to establish a VPN session, the appliance may create atemporary VPN session with the client. In some embodiments, theappliance 200 may refuse to accept any data received via the temporarysession until a new VPN session is created from temporary session. Inother embodiments, the temporary VPN session may be allocated lessresources by the appliance than would be allocated to a standard VPNsession. In another embodiment, a temporary VPN session may not beassigned an IIP address 282, or may otherwise be prevented fromreceiving data. In some embodiments, the appliance may identify a numberof properties associated with the existing session. In one embodiment,after identifying an existing session, the appliance 200 may transmit amessage to the user via the previously existing session indicating thecurrent session attempt.

In some embodiments, the appliance 200 may transmit to the client 102 ofthe user a request for information corresponding to whether to terminatethe previous session. In some embodiments, this request may comprise aweb page which accepts user input. For example, the web page maycomprise an enumerated list of existing sessions, with input means forthe user to a select one or more sessions to be terminated. In otherembodiments, this request may comprise a communication to a client agent120, which then may respond on behalf of the user. In some embodiments,this request may comprise a request for information corresponding towhether to terminate one or more of a plurality of previous sessions.

In one embodiment, the request may comprise information relating to anyof the properties of the existing session. In some embodiments, thisinformation may be displayed to the user along with the choice ofwhether to terminate the existing session. For example, a web page maybe displayed to the user stating “you have a previously existing sessionwhich was opened July 2nd at 10:30 am, do you wish to close?” In otherembodiments, this information may be transmitted to a client agent whichmay then make a determination whether to close a previously existingsession based on the properties of the previously existing session. Forexample, a client agent 120 executing on the client making the newsession request may determine to automatically terminate a previoussession in the event that no applications are currently associated withthe previous session.

In some embodiments, the request may also comprise a request forinformation relating to whether the user would like to transfer datafrom a previous session to a current session. For example, if a user wasremotely executing an application, the user may wish to resume theremote execution and the previous session or sessions associated withthe remote execution using the current session. After transmitting, fromthe appliance 200 to the client 102, a request for informationcorresponding to whether to terminate the previous session the appliancemay receive, from the client or the user, a response comprising anindication to terminate the previous session. In still otherembodiments, the appliance 200 may receive a response comprising arequest to transfer data associated with a previous session to thecurrent session. In these embodiments, the appliance 200 assigns the IIPaddress 282A of the previous session to the new session.

In the event the appliance 200 receives a response comprising anindication not to terminate the previous session, the appliance 200 mayrefuse to allow the user access, and terminate the temporary VPNsession. In these embodiments, the appliance 200 maintains theassociation of the IIP addresses 282 with the previous session and doesnot assign the IIP address to the new session. In other embodiments, theappliance 200 may create a new VPN session unrelated to any of theidentified previous sessions. In these embodiments, the appliance 200may assign an available IIP address from another entity, such as group,vServer or global or another user, to the new VPN session.

F. IIP Address Spoofing of an Application

Referring now to FIG. 6, an embodiment of steps of a method 600 forproviding an IIP address 282 to a request of an application for thelocal IP address of a client 102 is depicted. In one embodiment, themethod 600 is practiced is referred to as IIP “spoofing” of the client'sIP address. In some embodiments, spoofing is a situation in which aprogram successfully masquerades as another by changing data to make itlook, feel and/or act as another program but with the changed data. Asdescribed herein, the client agent 120 spoofs the local IP address ofthe client 102 on a first network 104 to be the IIP address 282 of theclient 102 or user on the second network 104′ or the network 104′accessed by the client via a VPN connection to the appliance 200. Withthe techniques depicted by method 600, the application receives inresponse to a request, the IIP address 282 of the client 102 on thesecond network 104′ instead of the local IP address on the network stack310. In some embodiments, the method 600 enables applications totransparently and seamlessly communicate to other applications via theSSL VPN connected network 104′ without changes or modification In oneembodiment, this technique is useful for online collaboration tools,such as NetMeeting, when the client or user establishes an SSL VPNconnection and needs to collaborate with other computers on the network104′ or other SSL VPN connected clients 102.

In brief overview of method 600, at step 605, the client 102 on a firstnetwork 104 establishes a connection via the appliance 200 to a secondnetwork 104′, such as an SSL VPN connection. At step 610, the appliance200 provides or assigns an IIP address on the second network 104′ forthe client 102. At step 615, an application on the client 102 requests anetwork identifier of the client 102. At step 620, the client agent 120determines the IIP address 282 of the client 102 on the second network104′. At step 625, in response to the request, the client agent 120provides the application the IIP address 282 of the second network 104′instead of the local IP address of the client 102 on the first network104.

In further details, at step 605, the client agent 102 establishes atransport layer connection with the appliance 200, such as via thetransport control protocol or user datagram protocol. In one embodiment,the client agent 120 establishes a tunnel connection with the appliance200 using any type and form of tunneling protocol. In anotherembodiment, the client agent 120 establishes a virtual private networkconnection via the appliance 200 to a network 104′. For example, theclient agent 120 may establish a virtual private network connection withthe appliance 200 to connect the client 102 on the first network 104 toa second network 104′. In some embodiments, the client agent 120establishes a SSL VPN connection with the appliance 200. In yet anotherembodiment, the client agent 120 establishes a tunnel or virtual privatenetwork connection using Transport Layer Secure (TLS) protocol. In oneembodiment, the client agent 120 establishes a tunnel connection withthe appliance 200 using the Common Gateway Protocol (CGP) manufacturedby Citrix Systems, Inc. of Ft. Lauderdale, Fla.

At step 610, the appliance 200 provides the client 102 an IP address onthe second network 104′. In one embodiment, the appliance 200 assignsthe client 102 an IIP address 282. In some embodiments, the appliance200 assigns the user of the client 102 an IIP address 282 using any ofthe techniques and methods discussed above in connection with method 500and FIG. 5. In another embodiment, the appliance 200 uses a Mapped IP440 address for the client 102. In yet another embodiment, the appliance200 and client 102 use a transferred session with its corresponding IIPaddress 282 for establishing the connection at step 605 and providingthe IIP address 282 at step 610. In some embodiments, the appliance 200,on behalf of the client 102, hosts the IIP address 282 of the client 102on network 104′.

At step 615, an application on the client 102 makes a request todetermine the IP address of the client 102. In some embodiments, theapplication makes any socket based application programming interface(API) calls to request the IP address of the client based on the hostname of the client 102. In one embodiment, the hooking mechanism 350intercepts the API call. In some embodiments, the hooking mechanism 350may intercept or hook any of the following function calls or messages ofan application: gethostbyname, getaddrinfo, and getsockname. In otherembodiments, the hooking mechanism 350 may hook any of the WindowsSocket API extensions such as WSAIoctl, WSALookupServiceBegin,WSALookupServiceNext, and WSALookupServiceEnd. In one embodiment,without hooking these API calls via the hooking mechanism 350, theapplication would receive from the network stack 310 the local IPaddress of the client 102 on the first network 104.

At step 620, the client agent 120 and/or hooking mechanism 620determines the IIP address 282 to return to the hooked API call. In oneembodiment, the hooking mechanism 350 responds with the IIP address 282assigned to the user. In another embodiment, the hooking mechanism 350responds with the IIP address 282 assigned to the client 102. In otherembodiments, the hooking mechanism 350 responds with the Mapped IPaddress 440 of the client 102 on the second network 104′. In yet anotherembodiment, the hooking mechanism 350 responds with the IP address onthe second network 104′ hosted by the appliance 200 on behalf of theclient 102.

In some embodiments, the client agent 120 and/or hooking mechanism 350transmits a request to the appliance 200 to determine the IIP address282 of the client 102. For example, the appliance 200 may query a tableor database, such as a the IPLWDB 450 to determine the IIP addressassociated with either the local client IP address, the user or theclient agent 120. In another embodiment, the client agent 120 performs aping command to determine the IIP address 282 associated with the useras will be described in further detail below in conjunction with FIG. 7.In some embodiments, the client agent 120 transmits a DNS query to theDNS 286 of the appliance 200 or another DNS server 406 to resolve theuser domain name 437 into an IIP address 282. In yet another embodiment,the client agent 120 stores or caches the IIP address 282 assigned tothe client or user from the appliance 200. In these embodiments, theclient agent 120 and/or hooking mechanism 350 can retrieve the IIPaddress 282 from local storage without making a request to the appliance200.

At step 625, the hooking mechanism 350 provides the IIP address 282determined at step 620 to the application in response to theapplication's request at step 615. In one embodiment, the hookingmechanism 350 provides a reply to the hooked function or API call. Inother embodiments, the hooking mechanism 350 provides a message to theAPI call. In some embodiments, the application continues operations withthe provided IIP address 282. For example, the application may transmitthe IIP address 282 to another client or application, such as via thepayload of a transport layer packet communicated via the VPN connection.In yet other embodiments, the applications uses the IIP address 282 inother socket-based API calls as if were the local IP address of theclient 102. In this manner, the application operates for the SSL VPNconnected network 104's without modification as if were communicating onthe first network 104′. With the techniques illustrated by theembodiment of method 600, the user, client 102 and application, such asan online collaboration tool, obtain the security and access controlbenefits and other functionality provided by the appliance in a seamlessand transparent manner.

G. IIP Address Querying of a User

Referring now to FIG. 7, an embodiment of steps of a method 700 forquerying the IIP address 282 of a user using a user domain name 437 isdepicted. In one embodiment, the method 700 is practiced in order foruser, client or application to determine the IIP address assigned to aSSL VPN user. In some embodiments, a naming scheme for the user domainnames 437 can be configured of the appliance 200. For example, a userdomain name policy 420 can specify the domain suffix 435 to be appendedto a user identifier. In this manner, a user understanding the userdomain naming scheme can easily and efficiently ping or DNS query theIIP address of an SSL VPN user on a network 104′. For example, the usermay ping the user domain name 437 of “<user id>.<mycompanyname.com>” todetermine the IIP address 282 assigned by the appliance 200 to the useror client of the user. In this manner, SSL VPN users can quicklydetermine the IIP addresses of other users when using collaborationtools, such as establishing a NetMeeting session between SSL VPN users.

In brief overview of method 700, at step 705, the client 102 on a firstnetwork 104 establishes a connection via the appliance 200 to a secondnetwork 104′, such as an SSL VPN connection. At step 710, the appliance200 provides or assigns an IIP address on the second network 104′ forthe client 102, and generates a user domain name 437 according to theuser domain name policy 430. At step 715, the appliance 200 stores theuser domain name 437 and IIP address association of the user in a DNS orDNS cache. At step 720, the appliance 200 receives a request for the IIPaddress 282 of the user based on the user domain name 437, such as via aping command or a DNS query. At step 725, the appliance determines fromthe domain name service, the IIP address 282 associated with the userdomain name 437. At step 730, the appliance 200 provides the determinedIIP address 282 of the user in response to the request.

In further details, at step 705, the client agent 102 establishes atransport layer connection with the appliance 200, such as via thetransport control protocol or user datagram protocol. In one embodiment,the client agent 120 establishes a tunnel connection with the appliance200 using any type and form of tunneling protocol. In anotherembodiment, the client agent 120 establishes a virtual private networkconnection via the appliance 200 to a network 104′. For example, theclient agent 120 may establish a virtual private network connection withthe appliance 200 to connect the client 102 on the first network 104 toa second network 104′. In some embodiments, the client agent 120establishes a SSL VPN connection with the appliance 200. In yet anotherembodiment, the client agent 120 establishes a tunnel or virtual privatenetwork connection using Transport Layer Secure (TLS) protocol. In oneembodiment, the client agent 120 establishes a tunnel connection withthe appliance 200 using the Common Gateway Protocol (CGP) manufacturedby Citrix Systems, Inc. of Ft. Lauderdale, Fla.

At step 710, the appliance 200 provides the client 102 an IP address onthe second network 104′. In one embodiment, the appliance 200 assignsthe client 102 an IIP address 282. In some embodiments, the appliance200 assigns the user of the client 102 an IIP address 282 using any ofthe techniques and methods discussed above in connection with method 500and FIG. 5 or method 600 and FIG. 6. In another embodiment, theappliance 200 uses a Mapped IP 440 address for the client 102. In yetanother embodiment, the appliance 200 and client 102 use a transferredsession with its corresponding IIP address 282 for establishing theconnection at step 605 and providing the IIP address 282 at step 610. Insome embodiments, the appliance 200, on behalf of the client 102, hoststhe IIP address 282 of the client 102 on network 104′.

At step 710, the appliance 200, in some embodiments, generates a userdomain name 437 based on the user domain name policy 430. For example,in one embodiment, the appliance 200 generates a user domain namecomprising a specified domain suffix 435 associated with the useridentifier. In one embodiment, the domain suffix 435 comprises a domainname of the network 104′ or the host name of the appliance 200. In someembodiments, any arbitrary domain suffix 435 may be specified for theuser domain name 437. In other embodiments, the appliance 200 has ormaintains an established user domain name 437 for the user. For example,the appliance 200 may re-associate a newly assigned IIP address 282 withthe user domain name 437.

At step 715, the appliance 200 stores in a domain name service or otherdatabase, the association of the IIP address 282 of the user with theuser domain name 437. In some embodiments, the appliance 200 stores arecord in the DNS that maps the IIP address 282 to the user domain name437. In one embodiment, the appliance 200 stores this record orassociation in the DNS 286 or DNS cache of the appliance. In otherembodiments, the appliance 200 stores a record mapping the IIP addressto the user domain name in another DNS, such as DNS 406. In yet anotherembodiment, the appliance 200 stores the IIP address/user domain name asa record or entry in the IPLWDB 450. In still other embodiments, theappliance 200 maintains the IIP address/user domain name association inmemory, such as in a data structure or object, or in storage, such as ina file or cache.

At step 720, the appliance 200 receives or intercepts a request todetermine the IIP address 282 of a user domain name 237. In someembodiments, the appliance 200 receives a DNS query to resolve the userdomain name 237 via an SSL VPN connection client. In other embodiments,200 receives the DNS query from any client 102 on the same 104′ ordifferent network 104 that can access the DNS 286 services of theappliance 200. In some embodiments, the appliance 200 receives the DNSquery forwarded from a server 106, another DNS, or another appliance200. In another embodiment, the appliance 200 intercepts any type andform of Internet Control Message Protocol (ICMP) request, such as a pingcommand, that refers to or includes the user domain name 237. In yetanother embodiment, the client agent 120 intercepts the ICMP request andtransmits the request to the appliance 200, such as via the SSL VPNconnection of the client or a control connection between the clientagent 120 and the appliance 200.

At step 725, the appliance 200 determines the IIP address 282 associatedwith the user domain name 438 specified via the request. In oneembodiment, the appliance 200 performs a lookup in the DNS cache 286. Inother embodiments, the appliance 200 transmits a DNS query request orlookup to another DNS, such as DNS 406. In some embodiments, theapplication 200 does a lookup in a database using the user domain name437 as the key or index. In yet another embodiment, the application 200performs a lookup operation in the IPLWDB 450 for the IIP address 282associated with the user domain name 437. In some embodiments, theapplication 200 looks up the IIP address 282 in memory, such as via adata structure or object. In other embodiments, the application 200determines the IIP address 282 from a cache. In still anotherembodiment, the appliance 200 determines the IIP address 282 from aclient agent 120, for example, the client agent 120 providing the SSLVPN connection of the user identified by the user domain name 237.

At step 730, the appliance 200 provides the determined IIP address 282of the user in response to the request of step 720. In some embodiments,the appliance 200 transmits a response to the sender of the DNS query.For example, the appliance 200 may transmit the DNS query response to aclient, server, another appliance or another DNS. In other embodiments,the appliance 200 transmits a message to a client agent 120 identifyingthe IIP address 282. For example, in the case of the client agent 120intercepting a ping of an SSL VPN user, the client agent 120 responds tothe ping with the IIP address of the user domain name. In someembodiments, the client agent 120 also provides ping statistics alongwith the IIP address 282, which may have been determined and provided bythe appliance 200. With the IIP address of the SSL VPN user, a user,client or application can communicate, collaborate or connect to theidentified SSL VPN user.

In view of the structure, functions and operations of the system andmethods described above, the appliance and client agent providetechniques for more efficiently using assigned Intranet InternetProtocol (IIP) addresses by SSL VPN users. The appliance manages andsupports IIP stickiness to a user by assigning an IIP address based onpolicy, temporal and status information. With the configurable userdomain naming scheme, the appliances provides a mechanism for users,clients and other applications to determine the IIP address assigned toa SSL VPN user. Additionally, the client agent provides a mechanism forseamlessly providing the IIP address to applications communicating viaan SSL VPN connection to the private network.

Many alterations and modifications may be made by those having ordinaryskill in the art without departing from the spirit and scope of theinvention. Therefore, it must be expressly understood that theillustrated embodiments have been shown only for the purposes of exampleand should not be taken as limiting the invention, which is defined bythe following claims. These claims are to be read as including what theyset forth literally and also those equivalent elements which areinsubstantially different, even though not identical in other respectsto what is shown and described in the above illustrations.

1-28. (canceled)
 29. A method for assigning an intranet address to auser by an intermediary device, the method comprising: (a) receiving, bya device intermediary to at least one client and at least one server, arequest to establish a session of a first user with a first network; (b)determining, by the device responsive to a policy, one or more intranetaddresses to assign to the first user, the one or more intranetaddresses for assigning to one or more sessions of the first user anddifferent from addresses of clients operated by the first user; and (c)assigning, by the device, to the established session of the first useras an internet protocol address on the first network, a first intranetaddress from the one or more intranet addresses, the first intranetaddress previously assigned to another session of the first user. 30.The method of claim 29, comprising applying the policy to the request,the policy assigning a most recently used intranet address of the firstuser to the established session of the first user.
 31. The method ofclaim 29, comprising determining a most recently used intranet addressof the first user for the first intranet address.
 32. The method ofclaim 29, comprising determining an inactive intranet address from theone or more intranet address as the first intranet address.
 33. Themethod of claim 29, comprising determining that the one or more intranetaddress of the first user are active, and in response to thedetermination, requesting the first user to transfer to a session of thefirst user assigned an active intranet address.
 34. The method of claim29, comprising determining that the one or more intranet address of thefirst user are active, and in response to the determination, providing amapped internet protocol address to the first user.
 35. The method ofclaim 29, comprising hosting, by the appliance, the one or more intranetaddresses.
 36. The method of claim 29, comprising determining the one ormore intranet addresses as a range of internet protocol addressesidentified via a subnet mask.
 37. The method of claim 29, comprisingallocating a pool of intranet addresses to assign to a plurality ofusers accessing the first network via one or more sessions.
 38. Themethod of claim 29, comprising obtaining the one or more intranetaddresses from a Domain Name Server of the first network.
 39. A systemfor assigning one of a plurality of intranet addresses to a user by anintermediary device, comprising: a receiver of a device intermediary toat least one client and at least one server, receiving a request toestablish a session of a first user with a first network; and a policyengine executing on the device, determining based on a policy one ormore intranet addresses to assign to the first user, the one or moreintranet addresses for assigning to one or more sessions of the firstuser and different from addresses of clients operated by the first user,and assigning to the established session of the first user as aninternet protocol address on the first network, a first intranet addressfrom the one or more intranet addresses, the first intranet addresspreviously assigned to another session of the first user.
 40. The systemof claim 39, wherein the policy engine applies the policy to therequest, the policy assigning a most recently used intranet address ofthe first user to the established session of the first user.
 41. Thesystem of claim 39, wherein the policy engine determines a most recentlyused intranet address of the first user for the first intranet address.42. The system of claim 39, wherein the policy engine determines aninactive intranet address from the one or more intranet address as thefirst intranet address.
 43. The system of claim 39, wherein the policyengine determines that the one or more intranet address of the firstuser are active, and in response to the determination, requesting thefirst user to transfer to a session of the first user assigned an activeintranet address.
 44. The system of claim 39, wherein the policy enginedetermines that the one or more intranet address of the first user areactive, and in response to the determination, providing a mappedinternet protocol address to the first user.
 45. The system of claim 39,wherein the device hosts the one or more intranet addresses.
 46. Thesystem of claim 39, wherein the policy engine determines the one or moreintranet addresses as a range of internet protocol addresses identifiedvia a subnet mask.
 47. The system of claim 39, wherein the deviceallocates a pool of intranet addresses to assign to a plurality of usersaccessing the first network via one or more sessions.
 48. The system ofclaim 39, wherein the device obtains the one or more intranet addressesfrom a Domain Name Server of the first network.